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Let's leave the hardware where it is. 



Introducing the software-based 
VoIP solution from Microsoft. It's a 
whole new way to look at telephony. 

As it turns out, that important 
move to VoIP isn't about ripping and 
replacing or big, upfront costs. That's 
because it's no longer about hardware. 

It's actually about software. 

That's right. Keep your hardware— 
your PBX, your gateways, even your 
phones. Add software. Software that 
integrates with Active Directory,® 
Microsoft® Office, Microsoft Exchange 
Server, and your PBX. Simply maximize 
your current PBX investment and make 
it part of your new software-based 
VoIP solution. 

Because what you have is good. 
What you have with the right 
software is even better. Learn more 
at microsoft.com/voip 

Your potential. Our passion. " 

Microsoft 
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The Soul of Windows Server 2008: 
Server Core and Hyper-V 

In an exclusive interview, Bill Laing, general manager of 
Microsoft's Windows Server division, talks candidly about 
Windows Server 2008 features that surprised him, technology 
that might be hard for users, and lessons learned from this 
release. 

—KAREN FORSTER 


Read this article online at www.windowsitpro.com 


Avoid Windows Server 2008 
Integration Challenges 

Only hard-won experience can expose pitfalls that can cause frustration 
when you deploy a new OS. Before you implement Windows Server 
2008, benefit from an expert's lessons-learned about integration with AD, 
compatibility with Microsoft server applications, virtualization, backup, and 
antivirus and antispyware. 

—ALAN SUGANO 


InstantDoc ID 98197 


35 Active Directory Enhancements in 
Windows Server 2008 

Take a tour through the changes and enhancements in Windows 
Server 2008 Active Directory (AD). In particular, examine the new 
read-only domain controller (RODC), and learn how it can help 
lower risks to your organization. 
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Windows Server 2008 Editions Supporting RODCs .35 

Names for AD Services Change in Windows Server 2008 .36 
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VA2 uses Multiple Activation Keys (MAKs) or Key Management 
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organizations, eliminating the security and administrative problems 
of Volume License Keys (VLKs). 

—SEAN DEUBY 
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data," "normal settings," "locally accessed data," and "unwanted data." 
—DAN HOLME 
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Once again, we've combed the Web for a new and scintillating collection 
of free tools that promise to make your job easier. Get $500 worth of tools 
for nothing—except the time necessary to download them. 
—DOUGLAS TOOMBS 


59 PowerShell 101, Lesson 2 

PowerShell lets you create pipelines that link cmdlets together to perform 
complex operations and refine retrieved information. Learn how to use 
a pipeline to create PowerShell statements and how to format and sort 
output from those statements. 

—ROBERT SHELDON 

How to Handle Long PowerShell Statements .62 
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65 Vista and Server 2008 Malware Protection 
Gems 

Understand Data Execution Protection (DEP) and Address Space Layout 
Randomization (ASLR)—two defenses in Windows Server 2008 and 
Windows Vista that help you secure your system against attacks that use 
buffer overruns. 

—JAN DE CLERCQ 
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Microsoft Office 2007 tips help you use forms-based authentication with 
Office and SharePoint, remove Excel duplicates, set Recycle Bin settings in 
SharePoint, and more. 

—DAN HOLME 
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Add file extensions to GPOs with ADSI Edit, troubleshoot locked-out 
accounts, and fight spam and phishing attacks by adding SPF records to 
your DNS entries. 


75 Ask the Experts 

Learn about Microsoft Update Catalog 7.0, find out how to keep your 
system secure with Live OneCare, and learn how to clear the Outlook 
auto-complete address cache. 
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Read this article online a t www.windowsitpro.com 

IT PRO HERO 
Testing Windows Server 2008 

This month's IT Pro Hero, Arlin Sorensen, CEO for Heartland Technology 
Solutions, discusses his company's experiences testing Server 2008 and the 
benefits he expects to gain from the upgrade. 

—ANNE GRUBB 
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BUI Hilf's open-source background has helped 
Microsoft gain new direction, as a "platform" company 
with a compatible set of end-to-end technologies. 
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FalconStor Software's virtual 
tape library (VTL) storage 
solutions 


16 Industry Bytes 

Jason Bovberg shares insights 
from his chat with LANdeslc, 
while Todd Erickson discusses 
trends in mobile device 
management. 


18 REVIEW 
Specops 
Password Policy 

A password policy enforcer 
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—PAUL THURROTT 


17 REVIEW 

0&0 Defrag 10 

Professional 

Edition 
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Group Policy 
Tools: Easing 
the Pain 

Group Policy helps you 
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your Active Directory 
(AD) environment. 
Microsoft's new Group 
Policy Preferences and 
ISV products will make it 
increasingly useful to more 
organizations. 
—CAROLINE MARWITZ 
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Connecting the IT Community 



Introducing: Virtualization UPDATE 

E valuate, manage, and optimize virtualization technology in a Windows environ¬ 
ment with Virtualization UPDATE. Each issue includes commentary on the virtu¬ 
alization market from Windows IT Pm Senior Editor Jeff James, as well as tips, tricks, 
and advice from vendors and experts. Virtualization UPDATE is your best source for 
keeping informed about the booming virtualization segment of the IT industry. 
www.windowsitpro.com/Email 

Step-by-Step Guide to Disaster-Recovery Planning 

W ould you like some practical guidance on developing, implementing, and 
testing your disaster-recovery plan? Have you ensured that your plan will 
work as expected and will scale as your business and IT needs evolve? Register 
for this Web seminar to find a holistic approach to disaster-recovery planning that 
combines available backup and recovery technologies. 

www.windowsitpro.com/go/seminars/XOsoft/DisasterRecovery/?partnerref= 

marchcitc 

SharePoint Pro Live! Technical Workshop Tour 

A re you getting the most from Microsoft Office SharePoint Server 2007? Join Share- 
Point experts Dan Holme and Melissa Fraser to learn how to deploy and implement 
SharePoint Server and Windows SharePoint Services effectively in your organization. 
Register today to take advantage of preregistration online pricing for only $99! 

www.windowsitpro.com/go/sptour 


CONNECTIONS 

April 27-30 

Dive into new releases with Microsoft 
architects and industry experts! See 
page 24 for details. 


Enterprise Performance 
Management for Emerging 
Businesses and Workgroups 

L everage business intelligence (Bl) 
and Enterprise Project Manage¬ 
ment (EPM) solutions to manage your 
business’s expansion and address 
complex reporting and compliance 
requirements. Download this white 
paper and ensure that your company 
has the Bl and EPM tools to meet its 
current and future needs. 
www.windowsitpro.com/go/wp/ 
oracle/epm/?code=marchcitc 



IM at Work 



Look Who’s Talking (and Chatting and Surfing) 


IM is an essential 
communication tool 
for many businesses, but 
with its efficiency can also 
come security risks. Keep 
your IM traffic safe with these helpful 
resources: 

• “IM Risk Management for Enterprise,” 
www.windowsitlibrary.com/ 
Content/1802/06/toc.html 

• “IM Security Primer,” InstantDoc ID 


1 confess. Sometimes my in-office IM conversations don’t pertain to work, and 
maybe I check my personal email once in a while. But my responsibilities come 
first, and I always get my work done. So why am I freaked out that my employer 
could be watching my every move? 

Monitoring employees’ computer activities isn’t anything new and, as forum _ 
member rain3d states, is a company’s right as long as it’s “understood by the 

employee in a written acceptable use policy (signed by employee) that the computers are for business use only and 
subject to monitoring” (www.windowsitpro.com/go/MonitorEmail). 

Even if snooping on worker bees is legal, many people still feel that such actions are an invasion of privacy. Others 
think that surveillance is the only way to keep a business running efficiently. I agree that people should work while 
they’re at work; I just don’t remember when keeping employees scared became the only way to keep them honest. 

Do you think that monitoring employees’ computer activity is fair or that it’s gone too far? Share your thoughts on 
my extended blog post at InstantDoc ID 98056, or email me at Christan.Humphries@penton.com. 
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75 Percent 

of corporate intellectual property is 
sent through email messages and 
their attachments * 


77 Percent 

of companies involved in legal or 
regulatory actions had email requested 
as part of the discovery process * 


DISCOVER • RECOVER • EXPORT 


DISCOVER: Create and reuse advanced queries to search a 
single data source or across multiple Backup Copies of 
Exchange Information Stores or Live Exchange Servers 

as well as PST’s and DigiVault data sets to find the required 
evidence within emails, attachments and meta-data. 

RECOVER: Use DigiScope’s intuitive Outlook interface to 
restore information via drag-&-drop to a specific location 
or select SingleTouch™ recovery to automatically restore 
mailboxes, folders, or individual items to original locations 
within the live Exchange Server. 

EXPORT: Search results can be optionally de-duplicated 
and then exported to multiple formats including, XML, 
MSG, and PST’s with various options to support data 
migration as well as further review or legal analysis. 


Lucid8’s 


LIVE WEEKLY^ 
DEMOS ® 


FREE DOWNLOADS 

• Demo version of DigiScope 

• White Papers 

• FRHP F-mail nicnn\/^r\/ R. Ym i 


eDiscovery and Recovery for Microsoft® Exchange 


^Source: Enterprise Strategy Group 


Copyright © 2008 LuadS-AW Tights reserved. AW other trademarks are property of their respective owners. 
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Look like an Exchange 
migration expert. 




Take the risk and complexity out of migrating Exchange. 

NetMigrate for Exchange simplifies Exchange migrations with a comprehensive, best practices approach for less than 
most other solutions. Even the smallest details—like calendars, appointments, and folder permissions—remain intact. 
End users don't notice a thing. And Help Desk phones stay quiet. Plus, you can roll back anything, anytime. NetMigrate for 
Exchange...when you need to look like an Exchange migration expert. 



NetMigrate for Exchange 

go to www.netpro.com/go/nnigrate to download your 
free copy of "Steps for a Successful Exchange Migration" 


NETPRD 

YOUR IT INFRASTRUCTURE. Simplified. 



IT Pro Perspective 


Open Source and Windows Server’s Direction 

Institutionalizing interoperability 


T he unfortunate tagline for the launch of Windows 
Server 2003 was “Do more with less" Microsoft 
never comprehended the irony of that tagline— 
but it strikes me as fitting the company's mood five years 
ago. Competition from Linux had Microsoft nearly para¬ 
lyzed. The company seemed to be desperately seeking 
direction. Now, in 2008, Microsoft has found a direction- 
thanks in large part to the people the company hired away 
from the Linux world. 

In February 2004, Microsoft hired Bill Hilf from 
IBM. According to his official biography, Hilf “led 
IBM's Linux/Open Source Software technical strategy 
at a world-wide level for the Emerging and Competitive 
markets organization." Hilf's mission at Microsoft was to 
establish a Linux lab. Starting as one server under Hilf's 
desk, the lab has flourished 
and expanded—and Hilf's 
Microsoft career has rock¬ 
eted. Hilf is now “General 
Manager of Platform Strat¬ 
egy, driving Microsoft's 
platform strategy efforts 
across the company. Bill's 
primary focus is to cham¬ 
pion platform initiatives 
... while leading long-term strategy planning in the 
Windows Server and Tools organization." That's a big 
change in a position that was, before Hilf, titled simply 
“General Manager of Windows Server Marketing." And 
this change signals a reinvigorated sense of direction. 

The P Word 

The key descriptor for Microsoft's newfound direction is 
the now-ubiquitous word “platform." How is the concept 
of Windows as a platform connected with Hilf's open- 
source background? I talked to Sam Ramji, director of 
Platform Technology Strategy, who reports directly to 
Hilf and oversees Microsoft's Open Source Software Lab, 
and the Microsoft and Novell Interoperability Lab in 
Cambridge, Mass. 

Ramji spoke of insights from the Open Source Soft¬ 
ware Lab that are key to Microsoft's new focus: “We 
started having a bigger conversation, which included 
not just how do we bridge gaps with Linux, how do we 
compare to and compete with Linux, but how do we 
look at open source? It's a greater phenomenon than 
operating systems. It's really about how developers 
communicate, about how developers improve technol¬ 
ogy, and a different way for users to adopt technology." 

Most important for Microsoft's concept of its own 
business is the idea that the OS is only a piece of the 


puzzle, which also includes all the technologies necessary 
to create business solutions. By thinking of itself as a “plat¬ 
form" company that has a compatible set of end-to-end 
technologies, Microsoft puts itself in a powerful position. 
Not only are there hundreds (if not thousands) of Linux 
permutations, but also a huge variety of technologies and 
applications are necessary to make an open-source busi¬ 
ness solution feasible—and all the pieces aren't necessar¬ 
ily compatible. Ramji said, “There's OSX, Linux, FreeBSD, 
Windows, Solaris, AIX, Oracle, SQL, MySQL, Postgres— 
there's whole bunch of technologies underneath it that 
may power it in some way. How does all this stuff mix?" 

If Microsoft takes on the task of making all the 
technologies work together, the company's competitive 
position becomes unmatched. This thinking is at the 

heart of what Ramji 
calls Microsoft's 
decision to “institu¬ 
tionalize interoper¬ 
ability." Microsoft 
realized it can make 
money by support¬ 
ing non-Microsoft 
technologies. Ramji 
even sees the future 
of Windows Server as being a platform for Linux in 
virtual environments. “We've always had a technologi¬ 
cal grounding, but we've added a business focus. Col¬ 
lectively, we [i.e., Hilf's open-source team] have gone 
from strategists and agitators to business owners. So 
interoperability is not just a good idea—it's actually the 
business strategy. I think that shows a lot of Hilf's rising 
star in the company—that institutionalizing interoper¬ 
ability that's happening. It says a lot that Bob Muglia 
and Steve Ballmer would look at Bill and say, 'This is 
the kind of leader we want to have in charge of our $4.5 
billion growth business.'" 

Institutionalizing 

Interoperability 

Hilf's influence and recognition of virtualization's power 
to open new possibilities will guide the upcoming ver¬ 
sion of Windows. Linux has gone from a source of fear, 
to a source of optimism, which is even reflected in the 
Windows Server 2008 tagline: “Heroes happen here." (OK, 
I admit it's a typically lame Microsoft tagline. But you have 
to agree that it's more positive than “Do more with less." 
And don't even get me started on howyou could interpret 
“institutionalizing interoperability'.'...) ▼ 

InstantDoc ID 98111 
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How to Protect and Improve System Performance 

The Top 10 Points to Know about Fragmentation 


professionals are heroes of the workplace. Whether with cunning 
wit or a Phillip’s head screwdriver, they solve most any computer 
-L -L emergency. However, keeping a computer running at top speed is 
usually preventative maintenance instead of last-minute, adrenaline-surging, 
virus-vaccinating heroics. 


Here are 10 key points to maintain peak 
performance across any network: 

1. The hard-disk is the slowest part 
of any system. 

Say you are operating a 2.5 GHz processor. 
That’s 2.5 billion operations every second. 

A large number of 
hard disks only spin 
at 7200 rotations per 
minute, or 120 cycles 
per second, or 120 
Hz. This means your 
CPU is more than 20 
million times faster 
than the hard disk. The hard disk still has 
mechanical components. Think Terminator 
2®, when a mechanized Schwarzenegger is 
outclassed by the faster, smarter T-1000. 
When the slowest part of your computer 
is making unnecessary reads, the entire 
system is dragged down. 



with Diskeeper boosts access to your most 
frequently used hies by as much as 80%. 
I-FAAST gives systems faster-than-new 
speeds. 

5. Servers are especially susceptible. 

While disk striping improves physical 
I/O capacity and performance, RAID and 
SAN systems simply do not hx fragmenta¬ 
tion where it begins—at the hie system. 
Enormous volumes with heavy read/write 
activity lead to astronomical fragmentation 
rates, making RAID and SAN work harder 
than they should. The 
efficiency of RAID and 
SAN may lessen some 
of the physical effects 
of fragmentation, but 
fragmentation is never 
eliminated. You’ll need 
to buy more and more 



against fragmentation of critical system hies. 
Frag Shield 2.0 prevents crash-inducing 
fragmentation. It’s like Superman® saving 
the day—two days before there’s a problem. 

9. Auto-defrag breathes life into systems. 

It keeps systems at optimum speeds 
and eliminates fragmentation-related per¬ 
formance issues. Thoroughly defragging 
systems adds 2-3 years onto the hardware’s 
useful life. 2 

10. Analyze your network’s performance. 

Poor performance on a remote system can 
easily be mistaken for a slow network. Get 
Disk Performance Analyzer for Networks™. 
This free utility scans networked systems 
for fragmentation. See for yourself how 
fragmentation is affecting your systems. 
This groundbreaking program will provide 
comprehensive reports on how system 
speeds will improve with thorough defrag¬ 
mentation. Visit www.diskeeper.com/wl 1 
and get this free, must-have utility. 

Diskeeper 2008 is the only fully-automat¬ 
ed defragmentation program. It operates in¬ 
visibly in the background and it dynamically 
adapts defragmentation strategies to ht the 


When systems are thoroughly defragmented, 
they run faster and more reliably—period. 


2. Fragmentation has severe effects. 

It’s more than sluggish and crawling 
computer speeds; fragmentation leads to 
crashes, hangs, data errors, hie corruption 
and boot-time failures. Files that suffer frag¬ 
mentation are more difficult and take longer 
to back up. When systems are thoroughly 
defragmented, they run faster and more 
reliably—period. 

3. Real-time defragmentation is necessary. 

Many companies rely on 24/7, mission- 
critical servers. Taking these systems offline 
for maintenance is not an option. But, having 
a server with I/O bottlenecks is also not 
an option. Only real-time, invisible defrag¬ 
mentation fixes this catch-22 situation. 

4. Give your systems faster-than- 
new speeds. 

NTFS best-fit attempts for hie placement 
on hard drives are limited. Diskeeper® 
2008 comes with a new technology called 
I-FAAST™ (Intelligent 
File Access Accel¬ 
eration Sequencing 
Technology) 1 that re¬ 
sequences your hies. 
So, in addition to 
consolidating free 
space, defragmenting 


equipment to compensate. Sooner or later, 
the tortoise catches the hare, and your 
system suffers I/O bottlenecks and slow 
server speeds. 

6. Operate without interrupting productivity. 

The new InvisiTasking™ technology makes 
software transparent. Diskeeper 2008 with 
InvisiTasking will work invisibly in the 
background; only using untapped resources. 
Systems are continually improved without 
any management or impact on a system’s 
usability. 

7. Defragment despite minimal free space. 

The purpose of defragmentation is to 
restore lost speed and performance. A 
defrag engine must be able to operate in 
limited free space because drives with 
extremely limited free space are the ones 
in need of the most help. Diskeeper 2008 
handles millions of fragments and can func¬ 
tion with as little as 1% free space. 

8. Stop fragmentation before it happens. 

Diskeeper 2008 comes with Frag Shield™ 
2.0, a technology that automatically defends 


needs of individual volumes. With new 
defrag engines, Diskeeper 2008 restores 
performance on volumes with as little as 
1% free space. Get rid of slows, bottlenecks, 
and fragmentation-induced crashes. Visit 
www.diskeeper.com/w9 

1 Available on Pro Premier, Server and EnterpriseServer editions. 

2 See white paperatwww.diskeeper.com/wpaper 


SPECIAL OFFER 


with InvisiTasking 

Diskeeper 2008 

Maximizing Performance and Reliability— Automatically ™ 

Try it FREE for 45 days! 

Download a free trial at 

www.diskeeper.com/w9 

(Note: Special 45-day trialware is 
only available at the above link) 

fv'olume licensing and Government/Education disco|nts are*: 
■^available by piling 800-829-6468, extsifoo I 
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EDITOR’S 

NOTE 

Windows IT Pro welcomes feedback 
about the magazine. Send comments 
t o letters@windowsitpro.com, and 
include your full name, email address, 
and daytime phone number. We edit 
all letters and replies for style, length, 
and clarity. 


Oops 

In the product review “HP 
Compaq dx2250 Microtower 
Business PC” (December 
2007 InstantDoc ID 97321), 
we incorrectly defined the 
acronym TPM. The correct 
definition is Trusted Platform 
Module. We apologize for the 
error. 
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More Vista 
Annoyances 

I read Michael Otey's Top 
10 column, “Windows Vista 
Annoyances” (January 2008, 
InstantDoc I D 97490) , and I 
agree with most of his annoy¬ 
ances. I thought I'd offer my 
own list of the top 10 reasons 
I'm not running Vista as my 
primary OS. 

1. Windows Mail doesn't let 
me resize all columns. 

2. Vista won't let me drag 
a new toolbar off the taskbar 
to the desktop. (I like to set up 
My Computer and My Network 
Places as an autohide toolbar 
on the right edge of the screen, 
like a sidebar.) 

3. Disk Defragmenter forces 
me to defragment all drives, 
unless I use the command 
line; there's no GUI option for 
selecting individual drives. 

4. When I choose to auto¬ 
hide the taskbar, Vista won't let 
me drag a shortcut to the task- 
bar without dragging it over the 
Start button area. 

5. Vista requires more clicks 
for changing the time and for 
updating the time with a time 
server. 

6. On the Vista taskbar and 
desktop, I can't right-click the 
network icon to access Proper¬ 
ties, Repair, or Status options. 

7. The functionality for 
watching newsgroup messages 
through Windows Mail doesn't 
work correctly. (Microsoft 
knows about the problem and 
won't fix it.) 

8. When I view files in Win¬ 
dows Explorer's details view, 
an entire line has focus. Setting 
focus in the folder is difficult, 
especially using the Single-click 
to open an item option. I end 
up opening a file when all I 
want to do is set focus. 

9. In Windows Explorer, I 
see no folder-size status infor¬ 
mation in the status line—only 


the number of files. 

10. The sidebar has no 
autohide option. 

—Gary Keramidas 

Command- 
Prompt Castaway 

Lazy administrators have over¬ 
looked command-line tools for 
ages. Curt Spanburgh's article, 
“Castaway on Command- 
Prompt Island” (January 2008, 
InstantDoc I D 97507 ), shows 
how the command line can 
save you a lot of work and 
time if you have a basic under¬ 
standing of the tools—and 
an open mind to look further 
than the GUI. 

—Rob Sanders 

Who Are You? 

I'm just now getting around 
to reading Karen Forster's IT 
Pro Perspective piece, “Micro¬ 
soft Asks: Who Are You?” 
(December 2007, InstantDoc 
I D 97478) . 

Microsoft abandoned 
a lot of 
people with 
Exchange 
Server 2007. 

PowerShell is 
great if you're 
managing 
dozens of like 
servers, but 
I don't have 
many Exchange 
servers, and 
I don't want 
to be a UNIX 
administrator. I'm a child of 
Windows. I love the GUI. I 
hate that I'll have to perform 
certain command-line tasks 
because they aren't exposed 
in the Exchange Management 
Console (EMC). When Micro¬ 
soft did its Exchange 2007 
Technology Adoption Program 
(TAP), the company seemingly 
forgot to involve small to mid¬ 


sized business (SMB) Exchange 
administrators, because people 
like me don't want to deal with 
the command line. 

I know SP1 exposes more 
in the GUI, but until it's all 
exposed (or at least 98 percent 
of it), I won't be satisfied. Is 
my visual nature part of my 
personal life? Maybe not in the 
true spirit of your article, but I 
would have been happy to give 
feedback about these changes 
to the Exchange 2007 team, had 
I been given the opportunity. 

Your article gives me hope 
that Microsoft has recognized 
the error of its ways. In my case, 
the situation has caused me to 
pause an Exchange 2003-to- 
Exchange 2007 transition until 
I can get a better grasp of what 
isn't exposed in the GUI and 
what we're going to have to do 
from the command line. 

—Trey Cook 

Many readers have responded 
to this column, and all of them 
think Micro¬ 
soft's Who Are 
You? efforts 
are a bad 
idea. So, it's 
good to get 
your hopeful 
perspec¬ 
tive. By the 
way, you 
certainly 
aren't 
alone 
in your 
concern about 
Exchange and PowerShell. 

Check out the blog entry I wrote 
on exactly that topic: www 
. windowsitpro.com/Article/ 
ArticleID/95646/An_Exchange_ 
Users_Lament.html. You'll find 
that a lot of people responded 
with similar concerns. Thank 
you for taking time to write. ^ 
—Karen Forster 
InstantDoc ID 98077 
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Instant Backup 
and Restore • « 
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Consolidation 
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Replication 
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Email Storage 


Server 


• • 


Virtualization 


Disaster 
Recovery 


The Perfect Fit... 
for your growing storage needs 


If you are looking for instant back up and data 
recovery, with RAID-DP protection against dual 
drive failure, you've found the perfect fit. With 
NAS, iSCSI SAN, and DAS right out of the box, 
the StoreVault product family provides storage 
solutions that will grow with your business 
needs. NetApp enterprise-proven technologies 
provides a rich feature set, including simple on- 
the-fly provisioning and off-site data replication. 
It's truly the perfect fit to maintain business 
continuity and regulatory compliance. 

The new S300 starting at under $3,000 
or the S500 starting at $5,535 

ue 

NetApp* 



StoreVault S500 
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Windows IT Pro 
Editor's Best Award 


Call us today at 800.206.5363 
Learn more about our Special Offers 
at wnww.storevault.com 
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Introducing\ 


Sunbelt if 


Exchange Archiver 


Finally, Affordable Enterprise-Class Archiving 


Introducing Sunbelt Exchange Archiver. Sunbelt 

Exchange Archiver (SEA) is a robust new product which 
delivers real enterprise-class email archiving, at a price that 
wont break your budget. Get comprehensive legal and 
regulatory compliance. Reduce your Exchange storage by 
up to 80%. Securely store emails on your choice of media, 
using the built-in Hierarchical Storage 
Management. And, find archived emails 
rapidly with full-text search for e-discovery 
or compliance. 


Up to 80% smaller message store. With SEA, you 11 
dramatically reduce your Exchange storage. The benefits are 
clear: faster backup times, better Exchange performance, 
and faster recovery. 


Compliance, e-Discovery, and legal 
readiness. If you need to archive emails 
for regulatory or legal reasons, SEA has 
you fully covered. Emails are stored in 
their original form, in whatever secure 
media you prefer, with complete flexibility 
on retention. Need to find an archived 
email? Simply use SEAs powerful 
integrated full-text search of emails and 
attachments, and you’ll be ready at a 
moment’s notice for e-discovery or legal 
requests. 

Seamless end-user experience. SEA 

is fully transparent for your users, whether 
they’re running Outlook, OWA, Blackberry 
devices or even Entourage on the Mac - with 
no special client software needed. Trusted 
end users can be delegated granular authority 
with the included web-interface or optional Outlook 
add-in. They can do off-line synchronization, and search, 
edit, forward, move or delete archived emails. 


"Exchange performance 
is suffering. Your users 
complain about email 
storage. Your CEO wants 
legal compliance. 

Now what?" 


Journaling not required. It’s a fact that using the 

Exchange Journaling mailbox for archiving 
dramatically affects server performance. 
With SEA, Journaling is an option - the 
program’s breakthrough Direct Archiving 
feature stores all emails immediately after 
they are received, keeping load off the 
Exchange server. 
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No more PST headaches! SEA gets 

rid of pesky PST files that are a major 
admin headache. SEA automatically finds 
them, imports them, and makes them part 
of your user’s archive. 

Great for disaster recovery. No 

matter where you email is stored, business 
continuity is assured with SEA. Using the 
included web client, users can continue to 
see and use their email even if Exchange is 
down. 

Archiving’s time has come for 
everyone. Contact us today and see how 
SEA solves your legal and compliance 
headaches and immediately improves the performance of 
Exchange - while saving critical budget dollars. 



Sunbelt Software 


Get A Free Quote and See How SEA Compares to Symantec Enterprise Vault ™! 

Email sales@sunbeltsoftware.com or call 888-688-8457 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 ww w.sunbeltsoftware.com sales@sunbeltsoftware.com 

© 2007 Sunbelt Software. All rights reserved. Sunbelt Exchange Archiver is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 
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Fighting Spam 
and Phishing 
with SPF 

Everybody knows that unso¬ 
licited email advertising, com¬ 
monly referred to as spam, and 
its even more evil descendant, 
phishing, can be both an annoy¬ 
ance and a security risk to an 
organization. Everyday phishers 
send emails purporting to be 
from organizations you do busi¬ 
ness with, attempting to con¬ 
vince the recipient to provide 
sensitive information, typically 
of a financial nature. 

Sender Policy Framework 
(SPF) records are designed to 
protect against forged emails 
and reduce the number of 
incoming spam messages a 
mail system (and sometimes 
users) have to process. Many 
times spammers or phish¬ 
ers send email with a forged 
From address, hoping that the 
domain name they forge will 
catch a victim's attention or at 
least be allowed through spam 
filters. An SPF record is a DNS 
TXT record that a mail server or 
spam filter will access to verify 
the source of email messages as 
they arrive. Many email services 
began checking SPF records as 
early as 2004. 

Enabling SPF record check¬ 
ing in your mail server software 
or spam filtering software 
varies by vendor. Many Open 
Source email platforms support 
SPF record checking natively, 
and plugins (both free and 
commercial) are available for 
Microsoft Exchange platforms. 
You should, however, do more 
than just implement SPF record 
checking—you should place an 
SPF record in your own DNS 
entries to help fight spam and 
reduce the chance that a phish¬ 
ing attack utilizing your domain 
name is successful. Larger orga¬ 
nizations might host their own 
external DNS servers, while oth¬ 


ers rely on their Web-hosting or 
domain-registration company's 
DNS servers. 

To add a TXT record in Win¬ 
dows DNS, select Administra¬ 
tive Tools under the Start menu, 
then choose DNS. From there, 
navigate to Forward Lookup 
Zones, then to the domain to 
which you want to add a TXT 
record. Right-click an empty 
space and select Other New 
Records. From there, choose 
Text (TXT). You can name the 
TXT record anything you want. 
Strings of code need to be 
entered into the Text field. For 
most organizations, the follow¬ 
ing TXT record value is accept¬ 
able to implement SPF: 

“v=spf1 a mx -all" 

This string essentially states that 
if the mail is received from an 
IP address that's listed in the 
sending domain's A or mail 
exchanger (MX) records, the 
mail is legitimate and should 
be processed. If specific IPs 
send email that isn't part of the 
A or MX records, they can be 
included using the ip4: mecha¬ 
nism, as the following shows: 

“v=spf1 a mx ip4:1.1.1.1 -all" 

In this example, the IP address 
of the additional mail server is 
l.l.l.l. 

Prior to implementing 
SPF, you must make sure that 
you've identified each IP that 
mail originates from and each 
domain name used by your 
organization. For domains that 
mail should never be sent from, 
the following SPF record can be 
used: 

“v=spf1 -all" 

This SPF record states that the 
domain has no IPs that send 
mail, and the mail system 
receiving mail from this domain 
should automatically reject the 
message. 


As with all things technical, 
you need to test your imple¬ 
mentation to ensure it functions 
as you expect. The Sender Pol¬ 
icy Framework Web site (www 
.openspf.org) has some excel¬ 
lent tools to help you imple¬ 
ment and test your SPF records. 

If the vast majority of DNS 
records contained SPF values 
and if the vast majority of email 
servers used SPF to check for 
valid email server IP addresses, 
the volume of spam and phish¬ 
ing email would be significantly 
reduced. We could then all go 
about the business of doing 
business without the nuisance 
and security risks associated 
with spam and phishing. 

—Nolan Garrett, Co-Founder 
and Chief IT Consultant, 
Intrinium, and Jeff Jones, 
Co-Founder and Chief Security 
Consultant, Intrinium 
InstantDoc ID 98034 

Use ADSI Edit to 
Associate File 
Extensions 

Applications that you deploy 
with Group Policy Software 
Installation sometimes don't 
register their file extensions. 
Consequently, when someone 
double-clicks a file that has an 
extension of one of those pub¬ 
lished applications, the auto¬ 
install feature doesn't work. 

This situation most often occurs 
in applications that weren't 
designed for deployment 
through Group Policy Software 
Installation but were deployed 
anyway through some minor 
tweaks. (If you're unfamiliar 
with Group Policy Software 
Installation, see technet2 
.microsoft.com/windowsserver/ 
en/library/4bdaf0f7-b7ac-41a6- 
9d25-9eab6aal965cl033.mspx.) 

One way to solve the file 
extension problem is to use 
ADSI Edit to manually add the 
file extensions to the Group 


EDITOR’S 

NOTE 

Share your Windows 
discoveries, comments, 
solutions to problems, and 
experiences with products 
and reach out to other 
Windows IT Pro readers 
(including Microsoft). 
Email your contributions to 
r2r@windowsitpro.com. 
Please include your phone 
number. We edit submis¬ 
sions for style, grammar, 
and length. If we print your 
submission, you’ll get $100. 
Submissions and listings 
are available online at 
www.windowsitpro 
.com. Enter the Insta ntDoc 
ID number in the 
InstantDoc ID text box. 


Policy Object (GPO) that pub¬ 
lishes the applications. To show 
you how this solution works, 
let's walk through the steps 
you'd use to add the file exten¬ 
sion for Microsoft Visio 2007 
Viewer, which unfortunately 
wasn't designed for deployment 
through Group Policy Software 
Installation. Here are the steps 
you need to follow: 

1. Download Visio 2007 
Viewer (visioviewer.exe) from 
the Microsoft Download 
Center (www.microsoft.com/ 
downloads/details.aspx? 
FamilyId=D88E4542-B174-4198- 
AE31-6884E9EDD524& 
displaylang=en). You'll need 
WinZip to unzip this file. If you 
don't have WinZip, you can use 
7-Zip, which is freeware that you 
can download from www.7-zip 
.org. 
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2. Double-click visioviewer 
.exe. In the window that appears, 
right-click visioviewer.exe and 
select the option to extract the 
files to a new folder. After the 
extraction operation completes, 
the folder should contain five 
files, including wiewer.msi. 
Copy that folder to the share you 
use for GPO-installed packages. 

3. Create a new GPO, go to 
the User Configuration\Soft- 
ware Installation folder in the 
Microsoft Management Console 
(MMC) Group Policy snap-in, 
and use the wiewer.msi file 

to publish the application. 
Because Microsoft 
didn't create Visio 
2007 Viewer with 
GPO installation 
in mind, the file 
extension .vsd 
doesn't get regis¬ 
tered. 

4. Obtain the 
globally unique 
identifier (GUID) of 
the GPO you used 
to publish Visio 
2007 Viewer. To get it, open the 
GPO and move to the root level, 
which is the level above Com¬ 
puter Configuration. Right-click 
and select Properties. The GUID 
appears in the Unique name 
field. 

5. Use ADSI Edit to edit the 
GPO. (If you don't have this tool 
installed already, you can find 

it in the Windows Server 2003 
Support Tools.) Under the Start 
menu, select Run. In the Run 
dialog box, type adsiedit.msc 
and click OK. After ADSI Edit 
opens, go to the Action menu 
and select the Connect to option 
to open the Connection Set¬ 
tings dialog box. In the dialog 
box's Connection Point section, 
click Select a well known Nam¬ 
ing Context and select Domain 
from the list. In the Computer 
section, enter the name of your 
nearest domain controller (DC). 
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Click OK. 

6. Navigate to Domain, 

DC -<yourAD domain's 
LDAP name>, CN=System, 
CN=Policies,CN=<j/owr GPO's 
GUID>, CN=User,CN=Class 
Store, CN=Packages. Here you'll 
find representations for all your 
GPOs. If you have more than one 
GPO, you'll have to manually 
find the correct one by double¬ 
clicking each GPO and checking 
the value of the displayName 
attribute, which needs to be Visio 
Viewer in this case. 

7. After you find the correct 
GPO, look for its fileExtPriority 

attribute and open 
it. (If you don't 
see this attribute, 
clear the Show only 
attributes that have 
values checkbox.) 
In the dialog box 
that appears, enter 
the extensions you 
want to associate 
with this pack¬ 
age. Visio 2007 
Viewer's extension 
is .vsd, so you'd enter 

.vsd: 0 

Note that you must include the 
space between the colon (:) and 
the value of 0. Click Add. You 
can enter multiple extensions, 
following the procedure I just 
described. 

That's it! Now, whenever 
users double-click .vsd files, 
Visio 2007 Viewer will automati¬ 
cally get installed. Interestingly, 
if you add more extensions after 
the initial deployment of the 
package, you don't have to wait 
for Group Policy to be refreshed 
for the change to take effect. It 
works instantly! 

—Apostolos Fotakelis, Systems 
Administrator, Aristotle Univer¬ 
sity of Thessaloniki, and free¬ 
lance IT consultant 
InstantDoc ID 97782 


Tools for 
Troubleshooting 
Locked-Out 
Accounts 

Troubleshooting loclced-out 
accounts can be difficult and 
time-consuming. Cached cre¬ 
dentials on drive mappings, 
Microsoft IIS application pools, 
COM+ objects, scheduled tasks, 
services, and interactive logons 
are all common causes of 
account lockouts. Fortunately, 
Microsoft provides tools and 
techniques to help you narrow 
the search for the root cause, 
including the Account Lockout 
and Management Tools. You 
can download these tools 
from the Microsoft Download 
Center atwww.microsoft.com/ 
downloads/details.aspx? 
FamilyId=7AF2E69C-91F3- 
4E63-8629-999ADDE0B9E 
&displaylang=en. 

At my organization, we 
recently used the following 
tools to locate the root cause of 
a loclced-out account that was 
discovered during one of our 
regularly scheduled password 
changes: 

EventCombMT.exe. Event- 
CombMT.exe collects and filters 
events from the event logs 
of domain controllers (DCs) 
within a specified domain. This 
tool features a built-in search 
for account lockouts, which 
defaults the search to the secu¬ 
rity log. It populates the Event 
ID field with relevant event IDs 
(i.e., IDs of events that pertain to 
locked-out accounts). Consoli¬ 
dating the lockout events into 
text files in a common folder 
provides a quick way to search 
for the locked-out account and 
the name of the server or work¬ 
station from which the lockout 
originated. 

LockoutStatus.exe. Lock- 
outStatus.exe examines all 
DCs in a domain, letting you 
know when the target account 


last locked out and from which 
DC. In addition, it provides the 
locked-out account's current 
status and the number of bad 
password attempts that have 
been made. Depending on 
the topology of the Windows 
domain, this information can 
help you determine whether 
the server or workstation lock¬ 
ing out the account is located at 
a particular site. 

Netlogon logging used for 
tracking Netlogon and NT 
LAN Manager (NTLM) events. 
Enabling Netlogon logging on 
all DCs is an effective way to 
isolate a locked-out account 
and see where the account is 
being locked out. The Microsoft 
article "Enabling debug logging 
for the Net Logon service" 
(support.microsoft.com/kb/ 
109626) contains information 
about how to enable Netlogon 
logging on the various ver¬ 
sions of Windows. Although 
Netlogon logging isn't part of 
the Account Lockout and Man¬ 
agement Tools, NLParse.exe 
is used to parse the Netlogon 
logs—and NLParse.exe is one 
of the account lockout tools. 
Enabling Netlogon logging 
can create large files quickly, 
so using NLParse.exe to locate 
relevant events in the Netlogon 
log can save time when trouble¬ 
shooting lockouts. The output 
from NLParse.exe is extracted 
to comma-separated value 
(CSV) file, where it can be easily 
searched or sorted. 

The Account Lockout and 
Management Tools helped us 
reduce the amount of effort it 
took to locate the root cause of 
our locked-out account. They 
helped us target our energy at 
specific servers or workstations 

• • • tr 

m our organization. yr 

—Brent McCraney, Senior Tech¬ 
nical Analyst, Ontario Teachers’ 
Pension Plan 

InstantDoc ID 98031 
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Product Spotlight 



Microsoft Systems Center 
Operation Manager 

Create and Display 
Operations Manager 
Information Visually 

Bringing visual mapping features to 
Microsoft System Center Operations 
Manager 2007 is the focus of Savi- 
sion’s new mapping product: Live 
Maps for Operations Manager 
2007. According to Savision, this 
product is the first mapping product 
to integrate with Operation Manager. 
Using Live Maps, admins can create 
visual, map-based views of their IT 
infrastructures. Each user of the sys¬ 
tem can have a unique view into the 
data that Live Maps generates, from a 
strategic, top-level view for the CIO to 


Storage/Backup and Recovery 

Optimize Key DPM 2007 Tape Archive Functions 

FalconStor Software announced that it has successfully tested all its vir¬ 
tual tape library (VTL) storage solutions with Microsoft System Center 
Data Protection Manager (DPM) 2007. IT storage planners and architects 
can now combine DPM 2007 with new and existing heterogeneous envi¬ 
ronments by integrating FalconStor VTL features with multiple backup 
applications that 
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share tape library 
resources. Falcon¬ 
Stor presented its 
VTL solutions at 
Microsoft TechEd 
last year in Bar¬ 
celona, Spain. For 
more information, 
contact FalconStor 
at 866-669-3252 
or visit www 
.falconstor.com. 


a functional, operational 
perspective for a network 
administrator. For more infor¬ 
mation, contact Savision at 
905-812-0638 or visit 
www.savision.com. 
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Backup and Recovery 

Real-time Mirroring, Synchronization, and 
Backups on Windows 

RAID-1 capabilities are typically available only in software, which is expensive. 
Techsoft offers a less expensive alternative with MirrorFolder 4.1, a real-time 

- mirroring and synchronization application 

that backs up files from a local Windows 
drive to any local, removable, or network 
drive. In RAID-1 mode, MirrorFolder cre¬ 
ates a real-time, bootable backup of your 
hard drive on another local drive. Mirror¬ 
Folder works on Windows Vista, Windows 
Server 2003, Windows XP, and Windows 
2000 Server servers. For more informa¬ 
tion, contact Techsoft at info@techsoftpl 
.com or visit www.techsoftpl.com. 
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Security 

Manage User 
Account Lockouts 

Account Lockout Examiner from Net- 
Wrix is designed to help IT pros man¬ 
age and troubleshoot account lockout 
policy. NetWrix tracks account lockouts 
in real-time, and can be configured to 
automate work related to detecting and 
responding to account lockout situa¬ 
tions. A Web-based portal allows help 
desk personnel to manage account 
lockout issues, and many program 
functions are accessible remotely from 
handheld devices. A version of Account 
Lockout Examiner for PowerShell is 
also available. For more information, 
contact NetWrix at 888-638-9749 
or visi t www.netwrix.com . ^ 

InstantDoc ID 98001 


www.windowsitpro.com 


We’re in IT with You 


Windows IT Pro MARCH 2008 15 












































Industry Bytes 


Insights from the industry 

Manage Your Mobile and Distributed Systems As If They’re Local 


R emote workers disconnected from the corporate LAN can 
pose a big threat to your network. Traditional systems 
management software can only actively manage assets that 
are inside your corporate firewall. You’re probably looking for a 
product that extends management beyond the corporate LAN 
and actively manages remote devices through the Internet— 
without the need for costly VPN connections. LANDesk has a 
product you need to look at. 

“Our customers are really interested in doing more with 
less,” said Nathan McLain, LANDesk’s product manager 
for the LANDesk Management Gateway Appliance. “People 
are worried about management functions, security, policy 
enforcement and so on. The challenge that has brought the 
Management Gateway solution is a growing, geographically 
distributed workforce. Mobile users are proliferating, and as 


Odyssey Software Tackles Mobile Device 
Management with Athena 


M anaging the proliferation of mobile devices is the focus of a new product from Odyssey 
Software: the Athena Add-In wireless device manager for Microsoft System Center Con¬ 
figuration Manager (SCCM) 2007 According to Odyssey, the extended mobile device management 
provided by Athena is now integrated with the SCCM console to increase administrative control 
over enterprise mobile devices without the need to launch a separate proprietary console. 

Odyssey Software President and CEO Mark Gentile announced the release of Athena at the 
2007 Microsoft TechEd IT Forum in Barcelona, Spain. According to Gentile, Athena integrates 
with SCCM to provide extended device management and support for any mobile device running 
Microsoft Windows Mobile and Windows Embedded CE, including consumer mobile devices, rug- 
gedized portables, and smart phones. 

Gentile explained that Athena allows admins more control of mobile devices over any public or 
private IP-based network, including live remote-control functionality for troubleshooting, the abil¬ 
ity to distribute software and control settings-management and policy enforcement from a central 
location, and the ability to see what applications the device is running. 

Athena does not use a dedicated server, process, or even a console. “The heart of the product is 
really an agent that resides on the device,” says Gentile. “SCCM can deploy that agent out of the box.” 

Gentile says Odyssey is developing a similar add-in for Microsoft System Center Mobile 
Device Manager 2008 and a management pack for System Center Operations Manager. 

Tony Rizzo, director of mobile technology research for industry analyst The 451 Group, says 
“more and more Microsoft shops will adopt the Odyssey platform,” as a result of Odyssey’s deep¬ 
ening affiliation with Microsoft. 

But, Microsoft’s history of partnering up with companies and their innovative technologies— 
at least until it can produce the technology itself—should worry Odyssey. Rizzo says things are 
going well for Odyssey now, but the company needs to watch out if Microsoft decides to veer 
away from its affiliation with Odyssey once they can duplicate the functionality of tools like Athena. 

Rizzo believes the enterprise mobility market will grow substantially in 2009, with the number 
of active mobile device users expected to be near 80 percent. “This market is still in its infancy,” 
Rizzo says. He believes next year will be the “on-ramp” year for enterprise mobile technology 
market players to establish themselves. 


one of our beta testers said, I’m not only responsible for my 
local division; I’m now responsible for another 25 divisions, 
along with all those servers, desktops, and mobile devices, dis¬ 
tributed throughout different geographies!”’ 

The LANDesk Management Gateway Appliance solves the 
problem of remotely managing geographically distributed sites 
any time, anywhere. “In the traditional sense of remote, secure 
connections,” McLain said, “you typically think of a VPN, which 
punches a hole in the firewall and lets anybody with a user- 
name and password access the corporate network. That might 
be OK for salespeople who will get to a VPN to be managed, 
but in the real world, mobile and distributed systems aren’t that 
connected to the network. Most users don’t use the VPN regu¬ 
larly and thus aren’t manageable that way.” 

With the LANDesk Management Gateway Appliance, a laptop 

with the LANDesk Manage¬ 
ment agent can call home 
and obtain a brokered, 
secure communication over 
SSL. Through that gateway, 
the remote system can 
download software distribu¬ 
tions, pull down policies, 
and even allow the admin¬ 
istrator to remotely control 
the device. In other words, 
the appliance permits the 
kind of functionality that 
you have on the local net¬ 
work from anywhere in the 
world. “The IT administrator 
uses LANDesk software for 
inventory, software distribu¬ 
tion (updates, application), 
remote control (very impor¬ 
tant for support), and secu¬ 
rity (policy enforcement),” 
said McLain. “The LANDesk 
Management Gateway Appli¬ 
ance lets you do that any¬ 
where.” 

The solution’s plug-and- 
play (PnP) capability lets 
you instantly deploy, set up, 
and manage desktops and 
laptops outside the firewall 
in order to immediately 
inventory and bring corpo¬ 
rate assets into compliance. 

—Jason Bovberg 
InstantDoc ID 97516 


—Todd Erickson 
InstantDoc ID 97657 
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Driven by customer feedback, Windows Server 2008 provides a 
host of important new features that make it Microsoft’s best server 
operating system to date. Here are the top 10 reasons to make the 
move to Windows Server 2008. 


1 Hyper-V Virtualization -Virtualization is one of the hottest IT technologies 
aria three editions ofWindows Server 2008 include Microsoft’s new Hyper-V 
virtualization support. Hyper-V uses an all new lightweight hypervisor that’s able 
to take full advantage of the new hardware assisted virtualization support built- 
in to the latest AMD-V and Intel V-T enabled CPUs.The net result is vastly 
improved host scalability and improved VM guest performance with no need for 
additional virtualization software. 


2, ruer Core - Another huge reason to migrate to Windows Server 2008 
is a new type of server installation known as the Server Core. Server Core is 
Microsoft’s answer to headless Linux implementations. Server Core is a lean 
and mean version of the Windows Server 2008 OS that’s primarily designed 
for ultra reliable infrastructure support. Server Core systems can act as a 
domain controller, a DNS server, a DHCP server, a file and print server and a 
virtualization host. All unnecessary components like the graphical shell, IE, the 
.NET Framework, and Outlook have all been stripped out. The net result is 
improved performance and security with less need for patching. 


3 Server Manager — The new Windows Server 2008 Server Manager makes 
administration ofWindows Server 2008 easier and more effective than ever 
before. The new Server Manager provides a role-based central management 
dashboard for your server. The new Server Manager combines the functionality 
of the older Windows Server 2003 Manage Your Server window and the 
Security Configuration Wizard. Using the new Server Manager you can add 
and change server roles and features installed on the server as well as drill into 
any related event log messages. Server Manager is completely integrated with 
Windows Server 2008 security and as you add and remove roles and features 

it also automatically performs security related tasks like opening and closing 
firewall ports. 

4 Network Access Protection (NAP) — The inclusion of NAP is another great 
reason to migrate to Window Server 2008. Using NAP, an administrator can 
create customized system health and security levels that a networked client must 
comply with before being granted network access. For example, a networked 
client might be required to have a certain software updated level, antivirus 
software installed, or a firewall enabled before they are granted network access. 
Networked clients that don’t meet the organization’s standards will have 
restricted network access until they come into compliance. 
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Read Only Domain Controller (RODC) - For organizations that support 
distributed branch office deployments Windows Server 2008’s new RODC 
capability is another great reason to move to Windows Server 2008. The new 
RODC enables you to deploy a domain controller that hosts a read-only copy 
of the domain database to a remote or insecure location. The RDOCs can’t 
make any changes to the AD database and therefore don’t replicate AD changes 
to the master domain controllers. RODCs can provide improved security and 
faster logon times for the network users in remote or branch office locations. 


nternet Information Service 7.0 — For Web servers, the new enhancements 
toTlS7 make a compelling case to adopt Windows Server 2008. IIS7 has a new 
modular architecture that gives an administrator a more finely grained ability to 
control exactly which features are installed on the Web server. IIS7 provides an 
entirely new management UI that lets an administrator manage both Web server 
andASP.NET properties. In addition, IIS7 dispenses with the old metabase and 
it now stores its configuration settings in an XML file. 


pOS - Terminal Services in Windows Server 2008 have also 
enhanced. Using the new Remote Desktop Protocol (RDP) 
6.0, the new Terminal Services support in Windows Server 2008 now offers the 
ability to share a single remote application rather than the entire desktop. From 
the remote user’s perspective, running the remote terminal services application 
looks just like executing a local application. There is also a new Terminal 
Services Web Access feature that enables browser-based web access to Terminal 
Services. 
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O Failover Clustering — For improved availability Windows Server 2008 also 
provides a number of enhancements to Failover Clustering. Architecturally, 
Windows Server 2008 Failover Clustering features a new quorum model 
that removes the quorum as a single point of failure. A new setup wizard and 
management console simplifies cluster administration. In addition, there’s also no 
longer a need to buy systems off the Hardware Compatibility List (HCL). A new 
hardware configuration validation reports on a system’s suitability for clustering. 


9 New Backup and Recoverv Tools — All new backup and restore tools are 
another great reason to consider migrating to Windows Server 2008. The 
old hard-to-use NTBackup application found in Windows 2000 Server and 
Windows Server 2003 has been replaced. The new backup is easier to use and 
is able to perform system image backups. It uses Volume Shadow Copy Service 
(VSS) to perform block-level backups and can now backup to DVD. 


iu Hardened System Security - improved security may be the best reason to 
migrate to Windows Server 2008. Built on top of the hardened Windows Vista 
core, Windows Server 2008 is the most secure operating system that Microsoft 
has produced. Windows Server 2008 takes a shields-up approach to security 
where everything is locked down from the time the system is installed until you 
begin to open it up by installing roles using Server Manager. Windows Server 
2008 also has an updated version of the Windows Firewall. The new Windows 
Firewall supports filtering both incoming and outgoing traffic and can be 
configured using group policies or the new Microsoft Management Console. 
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O&O Defrag 10 Professional Edition 

Editor’s Note: Following is a summarized version of Jeff James’ review of O&O Defrag 10 
Professional Edition. To read a full-length version of the article, go to www.windowsit 
pro.com and enter InstantDoc ID 97966. 

K eeping your hard disks organized and optimized is one of the regular maintenance 
tasks that most IT pros don’t like to do but that must be done on a regular basis. De¬ 
fragmenting your hard disks not only improves system performance and reliability, but also 
keeps small hard disk problems from becoming large hard disk problems. Enter O&O Soft¬ 
ware’s O&O Defrag 10 Professional Edition, a robust, standalone disk-defragmentation tool. 

O&O Defrag 10 supports the 32-bit and 64-bit versions of Windows Vista and Windows 
XP, as well as Windows 2000 Professional. Installing the product is quick and painless, 
and it even provides several options to help you configure the software correctly for a given 
piece of hardware. 

The product offers five defragmentation methods, which are shown in Web Figure I 
(www.windowsitpro.com, InstantDoc ID 97966) . The O&O Defrag 10 interface is clean, 
attractive, and strongly resembles Microsoft Office 2007’s ribbon-based Ul. The default 
view provides detailed information about the disks currently being defragmented. You can 
schedule defragmentation tasks in advance by using O&O Defrag 10’s defragmentation 
scheduling tool. Also, you can create multiple defragmentation jobs at once to save time and streamline your defragmentation tasks. 

I installed and ran O&O Defrag 10 on a network running Vista and XP machines, and tested the software by using each of the 
defragmentation methods. All the defragmented machines showed a range of speed improvements related to disk access, with a sys¬ 
tem running XP (and booting from a heavily fragmented local disk) showing nearly a 10-second improvement in boot times. Speed 
improvements varied, but were most noticeable on older machines running XP. If you’re trying to squeeze as much life as possible 
out of an existing IT infrastructure still running XP, upgrading to XP SP3 and investing in a disk-defragmentation tool, such as O&O 
Defrag 10, might help you maximize your existing IT investment. 

The version of O&O Defrag 10 that I tested was primarily aimed at small-to-midsized businesses (SMBs). However, large enterprises 
that are looking for better network support and a central control console might want to take a look at O&O Defrag 10 Server Edition. 

I do have some gripes about O&O Defrag 10, but they’re minor. One thing I don’t like is that O&O Software doesn’t have an office in 
the United States, which could be a problem for businesses that prefer a stateside sales and support office. However, that shouldn’t 
discourage you from trying what is arguably one of the best disk-defragmentation tools available today. ^ 

InstantDoc ID 97966 
—Jeff James 


SUMMARY 


O&O Defrag 10 
Professional Edition 


Robust feature set; attractive 
interface; multiple defragmentation options 

O&O Software lacks a US office; 
doesn’t offer multiple licenses for SMBs 

♦♦♦♦❖ 

$44.95/computer for 
Professional Edition; $249/computer for 
Server Edition; volume discounts available 

O&O Defrag 

10 is one of the best disk-defragmentation 
tools on the market today—I highly recom¬ 
mend you try it. 

O&O Software • www 
.oo-software.com • +49-30-4303-4303 




Summaries of in-depth product 
reviews on Paul Thurrott’s 
SuperSite for Windows 
www.winsupersite.com_ 




A continuation of the solid Mac OS X; better network browsing 
Buggy initial release; no clear value proposition when compared to Windows Vista 

♦♦♦♦O 

Leopard disappoints only in that it’s not the major upgrade that Apple touts. A 
continuation of the mature and capable Tiger, Leopard’s new features are hard to spot: a backup 
application, Time Machine, that’s laughably childish; a multiple-desktop utility called Spaces; and that’s 
about it. Leopard has been given a spit-shine, though some features aren’t as successful as others. 
Particularly bad are the Stacks pop-up windows and the bland folder icons. Apple continually updates its 
products, though, so these nitpicks might be fixed by the time you read this. Overall, Leopard is a solid 
update but offers no reason to switch from Windows. 

Apple • 800-275-2273 • apple.com 

www.winsupersite.com/reviews/macosx_leopard.asp 



/incite ipoq®oq© □□□□© 

Dramatic new functionality; IMAP support 
for Gmail 

No Microsoft Exchange support; 
Microsoft Outlook calendar sync is broken 

♦♦♦♦O 

As flawed as it is technically 
exciting, Apple’s recent major iPhone update 
adds a slew of functionality and plugs holes from 
previous releases. Now, the iPhone Home screen 
lets you push superfluous icons to a secondary 
page and add Web application shortcuts called 
Web Clips. Google Maps has been updated 
with a GPS-like location function, and the Mail 
application fully supports IMAP-based Gmail. 
Lack of Exchange support limits iPhone’s appeal 
for corporations. And Outlook calendar sync 
doesn’t work right on many Windows-based 
PCs 

Apple • 800-275-2273 • apple.com 
www.winsupersite.com/reviews/ 
iphone_08.asp#M3 
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Reviews 


Specops Password Policy 

Editor’s Note: To read the full-length version of this review, go to www.windowsitpro.com and enter InstantDoc ID 98074. 


Special Operations Software’s Specops 
Password Policy (SPP) is a password 
policy enforcer that lets you create 
multiple password policies in the same 
domain. In my quest to keep my Active 
Directory (AD) forest as simple as pos¬ 
sible, and yet be able to set multiple 
password policies, I recently tested SPP. 

After I installed Microsoft .Net Frame¬ 
work 2.0 SPI and the Group Policy 
Management Console (GPMC) on the 
DC (both are prerequisites for installing 
the Specops application), I was ready 
to install the Specops Password Policy 
Domain Administration tool by click- 


Started Wiki that I found online, and it 
stepped me through creating all of the 
policies. SPP is laid out extremely well 
and is very simple to navigate. You use 
this one tool to create password policy 
templates. You then use the standard 
Microsoft Group Policy Management 
Console (GPMC) to deploy the templates 
via Group Policy. It couldn’t be simpler. 

When I was done, each of my three 
OUs had a different password policy. 

With SPP, an endless set of password 
policy configurations is available. Some 
configurations will be familiar as they 
mimic the standard settings in the default 


Not only can you require the setting 
“three of the four” character types as the 
standard Microsoft “complex password 
setting” requires, you can specify how 
many of each character is required. 


SUMMARY 


Specops Password Policy 

Easy creation of multiple password 
policies in the same Active Directory (AD) 
domain; extremely simple interface; tight 
integration into Active Directory Users and 
Computers and Group Policy Management 
Console; no AD Schema updates necessary 


Not able to copy existing Specops 
password template to use as a baseline when 
creating a new template, making creating 
new templates based on existing templates 
difficult; firewall must be disabled to install 
the Sentinel service remotely 





$1,200 per domain plus $4 per 
user; volume discounts for domains above 
500 users 

If you need mul¬ 
tiple password policies and are considering 
adding multiple domains to accomplish this, 
check out Specops Password Policy. 


CONTACT 


Special Operations Software ■ 
www.specopssoft.com • 866-857-5325 


ing Setup.exe. The software installation 
requires a reboot, so be sure to add this 
to your deployment plan. 

After the installation was finished, I 
registered a special Specops extension 
to the Active Directory Users and Com¬ 
puters extension by running SpecopsA- 
ducMenuExtensionlnstaller.exe with the 
parameter /add. This 
let me see the new 
Specops features 
in Active Directory 
Users and Computers, 
which Figure I shows. 

What’s nice about this 
added functionality is 
that it’s not a Schema 
update but simply 
updates the Active 
Directory Users and 
Computers tool. 

I decided to create 
a separate password 
policy for each of my 
organizational units. 

I followed the Getting 


domain GPO. Other settings will be a new 
and welcomed sight. For example, not 
only can you require the setting “three of 
the four” character types as the standard 
Microsoft “complex password setting” 
requires, you can specify how many of 
each character is required. 

If you’re contemplating adding a sec¬ 


ond domain because you have to have 
another password policy, I recommend 
that you make your life easier and instead 
check out Specops Password Policy. ^ 
InstantDoc ID 98074 
— Eric B. Rux 
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Figure 1: SPP integration with ADUC 
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Comparative Review 


Online Office Suites 

Can a low- or no-cost online office suite replace Microsoft Office? 


W hen it comes to the workhorses of business 
software—word processors, spreadsheets, 
and presentation software—the Microsoft 
Office suite has ruled the corporate roost for more than 
a decade. Anyone remember WordPerfect, Lotus 1-2-3, 
or Harvard Graphics? Like Pete Best—the onetime 
member of the Beatles who was dismissed before the 
band hit the big time—those once-famous applications 
were relegated to bystander status as Office became the 
preeminent office application suite. Corel, IBM, and Har¬ 
vard Graphics were slow to port their wares to Windows, 
and history has proven the folly of being slow to adapt to 
changes in the market. Some might argue that Microsoft's 
overly aggressive pricing and ability to bundle Office 
with new PCs had more of an impact on the fate of those 
applications, but the outcome isn't in dispute: Microsoft 
became the dominant provider of business application 
software with Office and hasn't looked back. 

Fast forward to 2008: Today, Microsoft Office is 
fending off challenges from new competitors. Thanks 
in part to the remarkable growth of the Internet and 
the explosion of high-speed Internet access, a new 
generation of Web applications is beginning to compete 
with traditional office-productivity products such as 
Microsoft Word, Excel, and PowerPoint. Unlike tradi¬ 
tional applications that are installed and maintained 
on a local client, these online apps live entirely on the 
Web, and their files reside on the application provider's 
file servers. For example, Google Docs lets you create, 
edit, print, and save spreadsheet, word processor, and 
presentation documents without needing to install an 
application on your PC. These products also leverage 
the strengths of the Internet by allowing for the easy 
sharing of documents among office workers who are 
separated geographically from one another. And here's 
the kicker: Most of these online apps are free (or very 
low cost), which has captured the interest of many cash- 
strapped IT managers. 

The sheer number and diversity of online apps has 
mushroomed over the past few years: Online word pro¬ 
cessors such as Adobe Buzzword and Coventi Pages 
allow documents to be created, edited, and shared 
online, and online spreadsheets such as Team and Con¬ 
cept's EditGrid and TrimPath's Num Sum do the same 
for workbooks. Even Dan Bricldin—the co-creator of 
VisiCalc, the world's first spreadsheet—has entered the 
online app arena with Software Garden's wikiCalc. All 
of this development is good news, but do any of these 
online applications really have a chance of unseating 


Office as the premier business application suite? To 
find out, I've compared five of the most popular online 
office products that offer word processing, spreadsheet, 
and presentation capability: Ajaxl3, Silveroffice gOF- 
FICE, Google Docs, ThinkFree Online, and the Zoho 
office suite. Instacoll's Live Documents office suite was 
announced at press time, but Instacoll didn't respond 
to our invitation to participate in this review. Transme¬ 
dia's Glide Business offers online applications but also 
includes extensive OS replacement features that are 
beyond the scope of this review. 

Although Microsoft has been slow to respond to the 
challenge these newcomers present, it has begun to 
articulate a new "Software plus Services" strategy that 
attempts to combine the strengths of the traditional 
Office applications with the improved flexibility and 
collaborative nature of Web applications. The beta of 
Microsoft Live Office Workspace, which was announced 
just before press time, is a product of that strategy. (For 
more information, see the sidebar "Microsoft Office 
Live Workspace: A Winning Strategy?" on page 22.) 

To test how well these online office suites compete 
with (and work together with) Microsoft Office, I created 
sample Excel, PowerPoint, and Word documents, then 
used each of the online suites to load, edit, save, and 
print each document. If any application couldn't import 
the documents, I created an approximation of each 
document manually by using the relevant application's 
editing tools. Table 1, page_23, provides a price- and 
feature-comparison summary of all five products. 

Finally, in the interest of fairness, all of these prod¬ 
ucts are classified as betas in development by their 
vendors. Nearly all exhibited minor glitches or bugs, 
so you'll want to consider criticisms of the behavior of 
certain program functions in that context. 



by Jeff 
James 


Google Docs 

Although Google Docs is the most well-known online 
product that replicates some of the functionality of 
Microsoft Office, it isn't—as of this writing—the best 
Web-based alternative to Office. Google Docs is avail¬ 
able in a free edition for home and small-business use, 
and Google also offers a Premier Edition that includes 
extra features—mainly security and support features— 
for business use. For example, the Premier Edition 
includes APIs that let Google Docs integrate easily 
with an existing IT infrastructure, offers 25GB of stor¬ 
age space per account (the free version offers 2.75GB), 
and provides access to Postini spam control and other 
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business-oriented features. 

Google Docs did an admirable job pre¬ 
serving the appearance of my sample Word 
document and left most of the format¬ 
ting intact. The test PowerPoint document 
was imported without too many glitches, 
although some text overflowed existing text 
boxes, and font sizes varied from the original 
Word document. The Excel document was 
larger than the 1MB size limit Google Docs 
imposes for Excel documents, but smaller 
worksheets loaded without problems. 

The ability to share documents with oth¬ 
ers and easily track shared document revi¬ 
sions is a slick feature, and the recent release 
of Google Gears—an API that enables online 
applications that use it to be run offline- 
promises to make Google Docs even more 
useful. You can save documents that you 
create with Google Docs locally for editing 
with other applications, but the current ver¬ 
sion of Google Docs can't edit documents 
offline. (Ironically, Zoho Writer uses Google 
Gears to provide offline document-editing 
features.) 

Google Docs can be a good choice for 
home and small-office work, but the limited 
feature set means it isn't ready to replace 
Office for the majority of users. That said, 
the document collaboration features are 
usable, Google Gears shows great promise 
for improving integration between online 


SUMMARY 


Google Docs 

PROS: Tight integration with best of 
breed Web email; lots of storage space for 
documents; fast performance and good 
reliability; excellent document-sharing 
functionality 

CONS: Not as feature-packed as 
ThinkFree and Zoho office suite; competi¬ 
tive solutions offer more applications, abil¬ 
ity to edit documents offline 

RATING: 

PRICE: Free for standard edition; $50 per 
user, per year for Premier Edition 

RECOMMENDATION: A good 

Microsoft Office alternative for home users 
and small businesses that don’t need com¬ 
plete Office compatibility but rather the 
ability to easily share and revise documents 
online. 

CONTACT: Google • 800-225-5224 • 
www.google.com 


and offline files, and Google will undoubt¬ 
edly upgrade the functionality of Google 
Docs in the months and years to come. 

SUveroffice gOFFICE 

Silveroffice's gOFFICE combines an online 
word processor, spreadsheet, and desktop 
publishing program. The vendor claims that 
a graphical presentation application will be 
available soon, but it was unavailable for 
testing at press time. 

gOFFICE is available in one edition for 
personal and business use priced at 99 cents 
per month. The spreadsheet module in gOF¬ 
FICE offers the ability to import Excel docu¬ 
ments, but the word processing application 
doesn't: You need to either create your docu¬ 
ments from scratch online or cut and paste 
them into the document workspace from 
another word processing program. The word 
processing and spreadsheet modules have a 
very limited feature set, but both are easy to 
use—the lack of program features will turn off 
many business users, but getting up to speed 
with howto create, edit, save, and print docu¬ 
ments is a straightforward process. 

The gOFFICE applications include some 
nice features for personal use, including an 
assortment of free letterhead designs and 
sample text for a variety of common busi¬ 
ness uses, such as purchase orders, thank- 
you letters, and sales receipts. Silveroffice 
also provides a free document fax service to 
US phone numbers and free postal delivery 
of gOFFICE documents (limited to one 
mailing per week). 

I encountered a number of glitches and 
head-scratching features when using gOF¬ 
FICE, ranging from a tiny ' 'gOFFICE.com" 
watermark included on all printed docu¬ 
ments to module page headers that refer to 
gOFFICE as a "Free browser-based online 
office suite," despite the fact that users are 
charged to use the service. (The gOFFICE 
Web site's SSL certification expired in Sep¬ 
tember 2007, which might make you think 
twice before entering your credit card num¬ 
ber.) The online Help is anemic, and the 
current desktop publishing module lets you 
create only gift cards and business cards 
(although more templates are forthcoming). 

Even at 99 cents a month, gOFFICE 
doesn't compare well to more full-featured 
offerings from Zoho, ThinkFree, and Google. 
Even home and small-business users will be 
better served by choosing another product. 


SUMMARY 


Silveroffice gOFFICE 

PROS: Lots of free templates and sample 
text; US mail and fax services for printed 
documents 

CONS: Limited feature set; inability to 
import Word documents; general program 
stability and performance problems 

RATING: ♦VvvO 
PRICE: $0 .99 per month, per user 

RECOMMENDATION: Free text 
templates and mail and fax services are 
unexpected (and welcome) features, but 
gOFFICE has little to offer beyond them. 
Because competitive products offer more 
features and stability for less cost, I don’t 
recommend gOFFICE. 

CONTACT: gOFFICE • www.goffice.com 


ThinkFree Premium 

Someone once said that imitation is the 
sincerest form of flattery. If that's the case, 
Microsoft should be blushing—ThinkFree is 
the closest thing yet to a literal translation of 
Office to an online environment. ThinkFree 
offers packages aimed at corporate and 
enterprise users, making it the best choice 
for business users looking for a light-duty 



PROS: Closely approximates Microsoft 
Office look and feel; excellent document 
sharing options; affords ability to work 
offline with some documents; good docu¬ 
ment import and export functionality 

CONS: Slower performance with large 
documents than competitors; comparatively 
slow pace of updates and improvements to 
core applications 

RATING: ♦♦♦♦O 

PRICE: Free for ThinkFree Premium; $30 
per user per year for ThinkFree Server 
Edition 

RECOMMENDATION: It still can’t 
replace Microsoft Office in most office envi¬ 
ronments, but ThinkFree Premium comes 
closest to providing a Web-based, low-cost 
alternative to Office for home and small- 
business users than the competition. 

CONTACT: ThinkFree • support@think 
free.com • www.thinkfree.com 
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online alternative to Office. 

ThinkFree is available in a number of 
variants that are available at low or no cost. A 
desktop version installs on a client machine 
and provides a subset of Office functionality. 
ThinkFree Online lets desktop users edit and 
create online documents that are hosted by 
ThinkFree. ThinkFree Server lets companies 
run the ThinkFree software on their own Web 
server. I chose to test ThinkFree Premium, 
which introduces the ability to work with 
(and sync) online and offline documents. It 
also provides 24-hour technical support and 
file synchronization options that make it the 
best choice for small businesses. 

Whereas the other products in this com¬ 
parison have developed their own interface 
design for each of their application mod¬ 
ules, the ThinkFree UI strongly resembles 
Microsoft Office 2000 and 2003. Like Google 
Docs, ThinkFree features a common online 
workspace to which you can upload Word, 
Excel, and PowerPoint documents for edit¬ 
ing. ThinkFree Premium also lets you access 
documents locally so you can edit them 
when you're not connected to the Internet. 
Two editing options are offered: A quick edit 
option is designed for creating simple online 
documents; a power edit option allows 
the creation and editing of more complex 
documents that are compatible with their 
Microsoft Office equivalents. 

Other thoughtful touches abound: You 
can upload multiple files from a single 
screen, the online Help is verbose and actu¬ 
ally helpful, and the file-sharing features are 
easy to find and use. On the downside, get¬ 
ting to my online files seemed to take longer 
than it did with some of the other products, 
and editing tasks periodically took a second 
or two longer than expected. ThinkFree 
lacks the vast quantity of applications (and 
frequency of updates) that Zoho offers, and 
it might trail Google when it comes to email 
and calendaring functionality. Office rules 
the roost when it comes to mid- to-heavy 
application use, but ThinkFree Premium is 
worth a look as the best of the current breed 
of online alternatives to Office for home and 
small-business users. 

Zoho Office Suite 

Like many of the other products in this com¬ 
parison, Zoho has basic office-suite appli¬ 
cation tasks covered: Zoho Writer, Zoho 
Sheet, and Zoho Show provide basic word 


SUMMARY 


Zoho Office Suite 

PROS: Includes more than a dozen appli¬ 
cations; lots of program features; robust 
import and export capability; affords the 
ability to work offline (via Google Gears) 
with Zoho Write documents; high-traffic 
(and helpful) user support forums; frequent 
and high-quality application updates 

CONS: Bright, playful interface seems 
more focused on home users; some perfor¬ 
mance problems; Zoho Show import prob¬ 
lems with some PowerPoint files 

RATING: 

PRICE: Free 

RECOMMENDATION: Only the nar¬ 
rowest of margins kept the Zoho family of 
applications from earning the top spot in 
this comparison. Zoho excels as a viable 
alternative to Microsoft Works (and similar 
application suites) for personal use—just a 
few more business-oriented features would 
see it emerge as the Microsoft Office alter¬ 
native to beat. 

CONTACT: Zoho • www.zoho.com 


processing, spreadsheet, and presentation 
functions, respectively. (In this review, I refer 
to the Zoho office applications collectively 
as the Zoho office suite.) Where Zoho excels 
is in the depth and breadth of products it 
offers: Nearly a dozen online applications do 
everything from project management (Zoho 
Projects) to Web conferencing and database 
creation, in addition to customer relation¬ 
ship management (CRM—Zoho CRM) and 
wiki software (Zoho Wiki), and all are free. 

In terms of document compatibility, 
Zoho Writer and Zoho Sheet loaded my 
sample Word and Excel documents with¬ 
out any formatting problems. Zoho Show 
loaded the sample PowerPoint document 
with a few visual glitches, mainly disap¬ 
pearing borders and some unusual font 
sizes. Conversely, most Zoho modules fea¬ 
ture impressive export options once you've 
made changes to your online documents. 
For example, Zoho Sheet can export work¬ 
sheets in XLS, Open Document spreadsheet 
(OPS), OpenOffice.org spreadsheet (SXC), 
Gnumeric, CSV, HTML, Extensible Hyper¬ 
Text Markup Language (XHTML), and PDF 
formats. Zoho also offers a Zoho plug-in for 
Office that lets users edit and save docu¬ 
ments directly into Zoho Writer and Zoho 
Sheet from Word and Excel, respectively. A 


free Zoho plug-in for Microsoft Office lets 
you save files locally. 

Like Google Docs and ThinkFree Pre¬ 
mium, Zoho provides robust support 
for sharing documents with other users 
online. During the course of my evaluation, 
Zoho released a slew of new updates and 
enhancements, and the frenetic pace of 
product updates is scheduled to continue. 

Zoho may lack the professional appear¬ 
ance and Office-oriented feature set that 
ThinkFree Premium includes, but Zoho 
wins points for the breadth of the applica¬ 
tions it offers, the rapid pace of its upgrades, 
and a very active online community that is 
frequented by many Zoho developers. 

Ajaxl3 

In addition to being the name of a powdery 
household cleanser my mother was fond of 
using, AJAX (the acronym stands for Asyn¬ 
chronous JavaScript and XML) describes 
a group of Web-focused programming 
techniques that allow rich, feature-packed 
Web applications to run with respectable 
performance in a Web browser. The AJAX 
programming methodology is an important 
part of most of the products featured in this 
comparison and lends its name to the last 
online office suite I examined: AjaxJ3. 

AjaxJ3 is actually a compilation of five 
applications: ajaxWrite (word processing), 
ajaxSlcetch (drawing), ajaXLS (spreadsheet), 
ajaxPresents (presentation) and ajaxTunes 
(a music player). Like most of the other 
products in this comparison, the product 


SUMMARY 


Ajaxl3 

PROS: Clean module interface design; 
core applications load quickly 

CONS: Lack of features; lots of import 
and export bugs and glitches; quirky, coun¬ 
terintuitive file-loading dialogs; requires 
Mozilla Firefox 1.5 

RATING: ♦OOOO 

PRICE: Free 

RECOMMENDATION: Nearly all of the 
Ajaxl3 applications we tested had serious 
bugs, quirks, or simply didn’t function at all. 
Granted, this software is in beta, but so are 
all the other products in this comparison. 
This one simply isn’t worth the time or 
effort needed to make it work. 

CONTACT: Ajaxl3 • www.ajaxl3.com 
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is free. Getting started with any of these 
applications can take some time because 
the Ajaxl3 suite requires the use of Mozilla 
Firefox 1.5 to function properly. Ajaxl3 
doesn't work with Safari, Microsoft Internet 
Explorer, or Opera, although Ajaxl3 has 
stated that it's working on extended browser 
support. This requirement alone is a big 
negative, but weak browser support is the 
least of Ajaxl3's problems. 

AjaxWrite—a simple word processor 
that sports a clean, minimalist interface— 


was the first module I tried. I attempted 
to load the test document, then waited. 
And waited. Then waited some more. After 
about 10 minutes of watching an animated 
loading screen that resembled a history of 
Google's stock price, I cancelled the import 
and moved to the ajaxPresents module. Not 
much luck here either: The program spit out 
an error message each time I tried to load 
the sample PowerPoint document. Hoping 
that the third time was the charm, I turned 
to the ajaXLS spreadsheet viewer, only to be 


blocked by a frozen dialog box. 

To be fair, these Ajaxl3 applications—like 
all the other products in this comparison- 
are beta software. The Ajaxl3 suite does 
have some laudable features, namely clean 
interface design, fast core-application load 
times, and a well-populated user forum. 
However, these few positive features can't 
make up for some crippling bugs, curious 
feature omissions, bizarre load and save dia¬ 
logs, and a general lack of stability. Ajaxl3 
might be fine for Web-focused hobbyists 
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Microsoft Office Live Workspace: 

A WINNING STRATEGY? 

M icrosoft may have been slow to respond to the flood of Web-based competitors to Office, but it isn’t hard to see why. A 
Web-based version of Office could cannibalize the existing (and profitable) sales of Office products, but doing nothing will 
simply cede a potentially lucrative future market to Microsoft’s competitors. After realizing that Web-based office applications aren’t 
going away, Microsoft has developed what it believes to be a winning strategy: “Software plus Services.” Described as a mix of the 
company’s existing client-based software with newer server-based applications, the objective of the Software plus Services strategy 
is to maximize the benefits of both mediums, teaming the security, speed, and reliability of existing offline Office applications with 
online services that provide document sharing and collaboration. 

The first tangible manifestation of Microsoft’s strategy is Microsoft Office Live Workspace (shown in Figure A), an online 
service (currently in beta) that lets Office users upload and share Office documents. There are some caveats: Users are 
required to have a version of Office installed in order to edit and save documents, and the lack of online editing capability is 
a curious oversight. 

Based on my experience with the beta version, Office Live Workspace provides some interesting features (especially the 
ability to store common documents for later editing at a different location with a different PC), but lacks others—such as the 
absence I mentioned of the ability to create and edit documents online, a feature that all the products in this comparison offer. 
The interface should be familiar to Office users, and as a first stab at providing for Web-based sharing of Office documents, 
it’s a passable effort. 

“Office Live Workspace will provide any- 
where-access to Office documents, including 
Word, Excel, and PowerPoint files,” Jeff Raikes, 
president of Microsoft’s Business division, has 
said. “In other words, these documents will go 
wherever people go when they’re away from their 
usual desktop.” 

Granted, the ability to upload and share 
documents has been done before (specifically, 
by Google), but the tight integration between 
Office and Office Live Workspace could address 
criticism that Office doesn’t offer robust docu¬ 
ment-sharing functionality. The Office develop¬ 
ment team hasn’t been idle, and we’re bound to 
see more updates and improvements over the 
coming months and years. The next version of 
Office might still be a long way off, but it’s clear 
that tighter integration with the Web will be 
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Figure A: Office Live Workspace 
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Table 1: Online Office Suites Comparison 


WindowsITPro 



Product 

Google Docs 

gOFFICE 

ThinkFre^Sim^ 

Premium 

Zoho Office Suite 

Ajaxl3 

Price 

Standard edition is free; Premier 
Edition is $50 per user, per year 

$0.99 per user, 
per month 

Free 

Free 

Free 

Storage Space for 
Documents 

2.75GB per account for standard 
edition; 25GB per account for 
Premier Edition 

Unlimited 

IGB per account 

IGB per account 

IGB per account 

Word Import 
Capability 

Yes 

No 

Yes 

Yes 

Yes* 

Word Export 
Capability 

Yes 

No 

Yes 

Yes 

Yes* 

Excel Import 
Capability 

Yes 

Yes 

Yes 

Yes 

Yes* 

Excel Export 
Capability 

Yes 

No 

Yes 

Yes 

Yes* 

PowerPoint Import 
Capability 

Yes 

No 

Yes 

Yes 

Yes* 

PowerPoint Export 
Capability 

Yes 

No 

Yes 

Yes 

Yes* 


*Features didn’t function during testing. 


who have use for some of its more esoteric 
features, but anyone else should give this 
online office suite a wide berth and look 
elsewhere. 

Are the Days of 
Microsoft Office 
Numbered? 

Can competing online office suites truly 
replace the ubiquitous Microsoft Office? If 
you're an IT manager at a medium to large 
enterprise, the answer is a definitive no. As 
promising as these applications are, they 
lack the depth of content, robust security 
features, and massive support infrastructure 
that midsized-to-large enterprises need. 
Because ThinkFree Premium comes clos¬ 
est to reaching those goals for light-duty 
business use, I've designated it my Editor's 
Choice. (But don't count out Zoho and 
Google: At their current rate of develop¬ 
ment, both the Zoho office suite and Google 
Docs might have launched more updates 
and improvements to their products by 
the time you read this.) Only ThinkFree 
Premium, Google Docs, and the Zoho suite 
were able to load and allow editing of all 
three sample documents. Ajaxl3 and gOF- 
FICE are outmatched in nearly every cat¬ 
egory in this comparison. 

For small-business and personal use, 
the best online office suites in this com¬ 
parison can be attractive solutions. As 
an alternative, IT pros running on a tight 

www.windowsitpro.com 


application budget—or those who prefer 
to keep their office applications offline and 
local—might take a look at the open-source 
alternatives to Microsoft Office: OpenOf- 
fice.org, IBM Fotus Symphony, and Sun 
Microsystems' StarOffice. Each is based on 
the OpenOffice.org code base, and most 
provide the bulk of the features that Office 

As promising 
as these 
applications 
are, they 
lack the depth 
of content, 
robust security 
features, 
and massive 
support 
infrastructure 
that midsized- 
to-large 
enterprises 
need. 

We’re in IT with You 


does at no cost. (A StarOffice license costs 
$69.95 per user, who can install that soft¬ 
ware on 5 machines.) 

Whether we're discussing online Office 
workalikes or products like OpenOffice.org, 
it's clear that there are now more options 
for business desktop applications than ever 
before. Microsoft Office still dominates the 
market, but changes are coming. Office Five 
Workspace might be a passable stopgap for 
Office users who want to share documents 
online, but Microsoft clearly needs to do a 
better job of integrating the existing Micro¬ 
soft Office suite with the Internet. The days 
of Microsoft ruling the desktop application 
market virtually unopposed are over. We've 
seen only the opening skirmishes of what 
will undoubtedly be a long battie over how 
people should create, edit, and share docu¬ 
ments between computers and across the 
Internet. The ensuing competition will not 
only be entertaining to watch but will also 
signify that consumers have more products 
and solutions to choose from—and that's 
always good news. ^ 
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Take the Backup & Recovery Challenge and ^(SXMT kOOWlcd^C. 

Try the sample questions presented here, then log on to 

www.wlndowsitpro.com/go/syiiiaiitecqiiiz 

to complete the challenge. Once you complete and submit the online portion of the 
challenge (only another seven questions), you’ll be eligible to 

wM a Nintendo 

A drawing will be held on April 15, and the winner will be notified via email. 


I Vhat backup software is built on two decades of proven engineering and is the gold 
tandard in enterprise Windows data protection? 

a. Symantec™ Backup Exec™ 

> b. Copy and paste 
c. Norton Ghost™ 
d. None of the above 



new Symantec Backup Exec 12 multi-product platform provides integration with: 

a. Symantec Endpoint Protection™ 

b. Enterprise Vault™ 

c. Backup Exec™ System Recovery Option. 

d. The new Symantec Online Storage™ option. 

e. All of the above. 


Business data volumes are growing at a rate 40-50 percent per year which makes it 
arder for organizations to meet strict recovery point objectives without 
an efficient: 
a. CEO. 


b. Backup and Recovery Solution. 

c. CRM solution. 

d. Vacation Calendar. 


answers on back 
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itandard in enterprise Windows data protection? 


a. Symantec™ Backup Exec™ 


b. Copy and paste 

c. Norton Ghost™ 

d. None of the above 



e new Symantec Backup Exec 12 multi-product platform provides integration with: 

a. Symantec Endpoint Protection™ 

b. Enterprise Vault™ 

c. Backup Exec™ System Recovery Option. 

d. The new Symantec Online Storage™ option. 


e. All of the above. 



Business data volumes are growing at a rate 40-50 percent per year which makes it 
rder for organizations to meet strict recovery point objectives without 
an efficient: 

a. CEO. 


b. Backup and Recovery Solution. 

c. CRM solution. 

d. Vacation Calendar. 


How are you doing so far? Now, log on to 

to complete the challenge. Once you complete and submit the online portion of the 
challenge (only another seven questions), you’ll be eligible to 

wM a Nintendo W Si 

A drawing will be held on April 15. and the winner will be notified via email. 




sponsored by 

Symantec. 















Market Watch 


Group Policy Tools: Easing the Pain 

Help is on the way 


am here's no reason Group Policy shouldn't 
be easy to use," says SDM Software CEO 
and Group Policy MVP Darren Mar-Elia. If 
you're in the 22 percent of IT pros who admit to "winging 
it" as they configure and manage Group Policy, you might 
be surprised to hear that statement. Many IT pros have 
found it difficult to find a specific setting in Group Policy, 
to design Active Directory (AD) organization units (OUs) 
with Group Policy in mind, to set up user and computer 
groups to work with Group Policy, to troubleshoot non¬ 
working Group Policy Objects (GPOs), and to back up the 
GPO infrastructure. 

That a significant number of IT pros acknowledge 
being somewhat clueless about Group Policy—even as 
they use it—surprised Group Policy solution provider 
NetIQ. The company surveyed IT pros about how they 
use Group Policy and published the results in 2007. 
According to Sacha Dawes, senior manager of product 
marketing at NetIQ, that figure of 22 percent is evidence 
of the lack of available native tools for managing Group 
Policy, including "the severe lack of change control." 

In a conversation with Windows IT Pro magazine in 
the fall of 2007, Dawes noted that 58 percent of survey 
respondents said they'd experienced an unplanned out¬ 
age from a Group Policy change and that their trouble¬ 
shooting time ranged from 45 minutes to more than 6 
hours. And more than half of the respondents also said 
that they had no system set up to alert them to a Group 
Policy problem or anomaly—their "strategy" was simply 
to wait for an incident to occur. 

Group Policy experts, solution providers, and users 
agree that Group Policy can get you into a lot of trouble if 
you don't use it properly. They differ on what Microsoft's 
role is in managing this technology and what vendors can 
best do to help fill in the gaps. They also have different 
opinions on what impact Microsoft's soon-to-be-released 
Group Policy Preferences (technology from the acquisi¬ 
tion of DeslctopStandard) will have on the Group Policy 
tools market. 

Most agree, however, that if you're not using Group 
Policy yet, you will be. Let's look at how Group Policy 
has evolved, why it has a reputation for causing IT pros 
to sweat bullets, and how Microsoft and third-party tools 
aim to help ease your Group Policy pain. 

Group Policy Past and Present 

Group Policy is a Windows feature that lets you centrally 
configure and manage computers and remote users in 
an Active Directory (AD) environment. You'll find Group 
Policy at work in the enterprise as well as in smaller orga¬ 
nizations, such as schools and libraries, where it can be 


used to restrict users' actions and increase security. 

Using Group Policy, you configure settings and store 
them in Group Policy Objects (GPOs). You create and 
edit GPOs with two tools: The Group Policy Object Editor 
(GPE) lets you create and edit one setting at a time, and 
the Group Policy Management Console (GPMC) lets you 
create and edit multiple settings at a time. After you cre¬ 
ate the GPO, you target or link it to an AD site, a domain, 
or, more typically, an organizational unit (OU). Then the 
Group Policy client pulls a list of GPOs appropriate to a 
machine and logged-on user and applies the GPOs. The 
GPOs enforce your organization's security settings and 
restrictions—and keep users from overriding them. 

NetIQ's survey found that a surprising number of IT 
departments use Group Policy as a way to write fewer 
scripts. The more typical use, however, is for configuration 
management and for implementing server security and 
protection at the client level. Group Policy's usefulness is 
clear; what, then, makes it so difficult to master? 

Consider that Group Policy began in Windows 2000 
with just 500 settings. "You could wrap your brain around 
that," Microsoft's Lead Program Manager in Group Policy, 
Kevin Sullivan, says. Windows XP Service Pack 2 (SP2) 
had "800 additional settings. With Vista, it's 3,000. A slew 
more will appear in 2008." 

Mar-Elia, of SDM Software, explains: "The way Group 
Policy was built, a team built the engine and created a 
framework. But the team didn't create a standard. So each 
product group went off and did its own thing." Sullivan 
offers the Microsoft perspective: "The Group Policy team 
doesn't decide what needs to be managed, for example, 
in Windows Media Player—but we do help them and test 
the Group Policy experience." 

With the acquisition of DesktopStandard in 2006, 
Microsoft at least made it easier on itself in the Group 
Policy arena. DeslctopStandard's GPOVault Enterprise 
became Microsoft Advanced Group Policy Management 
(AGPM) and was released in the Microsoft Desktop Opti¬ 
mization Pack (MDOP) for Software Assurance (SA) in July 
2007. AGPM lets you manage GPOs by offering change 
control (e.g., the ability to check GPOs in and out for edit¬ 
ing), the ability to compare two versions of a GPO, and 
role-based delegation. Microsoft is integrating Desktop- 
Standard's PolicyMaker Standard Edition, Share Manager, 
and Registry Extension into the GPMC and renaming it 
Group Policy Preferences. It will be in Windows Server 
2008 and offered as a Windows Vista SP1 download in the 
Remote Server Administration Toolkit (RSAT). 

Two vendors whose product offerings don't overlap 
with Microsoft's Group Policy offerings comment favor¬ 
ably on the release of the newly acquired tools. Thor- 
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bjorn Sjovoid, CTO and founder of Special 
Operations Software (Specops), says Micro¬ 
soft “more than doubled the number of 
Group Policy extensions with Group Policy 
preference extensions (GPPE). This is really 
good news because it shows that Microsoft 
believes in Group Policy and is commit¬ 
ting to the technology." The former CEO 
of DesktopStandard, now CEO of Beyond 
Trust, John Moyer, adds, “What Microsoft 
is releasing with Group Policy Preferences 
is going to make Group Policy useful to the 
broader market and will help with standard¬ 
izing desktops." 

The settings in Group Policy Preferences 
“could potentially reach a staggering num¬ 
ber," Microsoft's Sullivan says. “I mean that 
in a 'wow, look at my breadth of manage¬ 
ment' way. For example, it's easy to distribute 
binary data out to clients. It's a pretty expo¬ 
nential leap we're looking at." 

Group Policy Preferences adds flexibility, 
Sullivan says. An administrator can cre¬ 
ate an image, deploy it to users, and users 
can change some of the preferences if the 
administrator allows it. “An admin can set or 
narrow down in Editor, turn on filter options, 
and look for commented settings." Sullivan 
points out the usefulness of being able to 
annotate GPOs with commented settings. 
“Today, if customers open a GPO and see a 
creation date of 2000, they don't know why 
it was created or who created it." Another 
feature in Group Policy Preferences is what 
he calls “starter GPOs." What he refers to is 
architecture that supports a baseline appli¬ 
cation. “You can create starter GPOs with 
canned settings and another admin can use 
those canned settings as a starting point" to 
configure a new GPO. 

Jason Leznek, Microsoft Senior Product 
Manager for Windows Client Manageability, 
adds, “The other thing that Group Policy 
Preferences lets you do is richer targeting. 
Group Policy Preferences lets you set Win¬ 
dows Management Instrumentation (WMI) 
filtering or go beyond, and it's in a GUI. You 
can have check boxes; you can specify situa¬ 
tions for settings; you can have multiple set¬ 
tings in one GPO." 

According to Sullivan, Microsoft jumped 
on those feature changes that provided best 
customer value and didn't step on partners. 
Sullivan says his team asked customers, 
“What do you want to do in Group Policy?" 
The answer was that they wanted to do 
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everything they could on their systems. 
“Group Policy Preferences provides appli¬ 
cation extension," Sullivan notes. “Partners 
can go in through the core and add and 
enrich." 

Third-Party Solutions 

You'll find several big players in the Group 
Policy arena and some smaller ones. Tools 
from third parties tend to fall into two main 
areas—those that extend what you can do 
with Group Policy and those that help you 
manage Group Policy. 

Tools that extend Group Policy. Within 
the extension area are tools that add Group 
Policy functions. Examples of such func¬ 
tions include software deployment and asset 


inventory. Two vendors in this arena are 
Beyond Trust and Specops. 

Beyond Trust uses the concept of least 
privilege to help administrators configure 
applications to run on desktops. “We get 
apps that require admin privileges to run on 
the desktop where they don't have adminis¬ 
trative privilege," CEO Moyer says. He notes 
the impact of a recent US Office of Manage¬ 
ment and Budget mandate: “Federal agen¬ 
cies must move to standard configurations 
for Vista and XP, which means no more local 
administrator accounts. The local admin¬ 
istrator account undermines all settings. It 
undermines what you're trying to do with 
Group Policy. We see the need to exploit this 
concept, developing new products and new 
versions." 

As a former strategic Group Policy part¬ 
ner of DesktopStandard, Specops offered 
tools that didn't overlap with DesktopStan- 
dard's and that don't overlap with Microsoft's 
releases. Specops founder and CTO Thorb- 
jorn Sj ovoid, says that, besides DesktopStan¬ 
dard, Specops is actually the only winner 
among the Group Policy Extension ISVs 
when it comes to Microsoft's Group Policy 

We’re in IT with You 


Preferences offering. 

Tools that extend Group Policy include the 
following: 

• Beyond Trust Privilege Manager—lets 
administrators use Group Policy to config¬ 
ure applications so users can launch them 
without having administrator privileges. 

It includes the ability to let enterprises 
operate with User Account Control (UAC) 
turned on or off. 

• FullArmor Endpoint Policy Manager- 
uses an organization's existing Group 
Policy infrastructure to provide real-time 
management and enforcement of end¬ 
point policy settings by pushing Group 
Policy settings to client computers that 
might not connect often to the domain; it 


also provides auditing and reporting for 
compliance. 

• FullArmor GPAnywhere—lets administra¬ 
tors create portable policies from Group 
Policy settings and settings provided by 
IntelliPolicy for Clients to enforce policies 
on devices outside AD. 

• Specops Command—combines Windows 
PowerShell with Group Policy, making it 
possible to execute PowerShell scripts on 
any number of computers. 

• Specops Deploy—uses a Group Policy 
client-side extension (CSE) that replaces 
the built-in Group Policy software installa¬ 
tion (GPSI) functionality in Windows. 

• Specops Inventory—uses Group Policy to 
provide detailed data to track Windows- 
based IT assets. 

• Specops Password Policy—removes the 
obstacle of the single password policy per 
domain in Group Policy. 

Tools that manage Group Policy. Within 
the management area, you see tools that 
focus on specific management functions— 
such as troubleshooting, reporting, and 
security—and tools that offer many manage- 
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ment functions across the board. Mar-Elia, of 
SDM Software, approaches Group Policy by 
conceiving of his products in three "buckets": 
troubleshooting, management, and report¬ 
ing. "I decided the first thing I wanted to 
do was get tools for troubleshooting." His 
second product was something he ; d wanted 
to do for a long time. Editing GPOs required 
Group Policy Editor (GPE); Microsoft pro¬ 
vides Group Policy Management Console 
(GPMC), and there was some scripting, but 
it was geared toward the GPO. He wanted to 
make a Group Policy Software Development 
Kit (SDK) and expose settings. The result was 
the company's scripting toolkit. 

He has two additional products ready to 
release: One is Group Policy Backup and 
Recovery. "GPMC provides backup and 
recovery as an afterthought. I'm trying to 
make it more of an enterprise-strength 
solution, with backup and restore links." 
The other is Desktop Policy Manager, which 
rides on the scripting toolkit. With it, small- 
to-midsized businesses (SMBs) can manage 
Group Policy by using a Web interface that 
walks people through howto define settings 
and shows them in profiles. According to 
Mar-Elia, it hides the linking. "Instead of 
thousands of settings, the user sees a dozen. 
Not everyone has to see the complexity of 
GPMC—we shield them from that." 

Gil Kirkpatrick, CTO of NetPro, says, 
"Smaller organizations are just now begin¬ 
ning to experiment with Group Policy. I 
talked to a group of SMBs about AD backup 
and recovery, and very few were using it. 
It looked complicated to them." He says, 
however, that we'll see many smaller busi¬ 
nesses getting into Group Policy. "I think 
that's what's driving a lot of the introduction 
of Group Policy tools." In the past, he says, 
"management tools didn't scale well to the 
SMB area and weren't intuitive. Microsoft 
built the platform services well, then gave 
you a crappy interface and left it to the ISVs 
to fill in." NetPro's tools cover the AD realm 
and include specific Group Policy manage¬ 
ment tools, such as GPOADmin. It's not yet 
possible to be an all-NetPro shop, though 
additional offerings are in the future. 

Using Group Policy, Kirkpatrick says, "needs 
to be a controlled IT process, a process that's 
standardized." The other need is "to be able 
to delegate Group Policy creation or setting. 
Native tools don't let you delegate the ability 
to manage Group Policy." 


About Microsoft's recent entry of the Desk- 
topStandard product version, he says, "We 
had just released GPOADmin, which com¬ 
peted with DesktopStandard's product— 
but Microsoft split that product in two." 
As he understands the Microsoft offering, 
"It doesn't help you much with respect to 
management, but it does have a nice UI. 
It's not like Microsoft solved the manage¬ 
ment problem in Group Policy. Vendors will 
just have to be more innovative." NetPro's 
GPOADmin "expanded features and added 
workflow. You can delegate and let others 
make changes and an email goes out to 
higher administrators who can approve and 
apply the changes. It doesn't make sense for 
shops with one IT guy, but it's necessary for 
large shops and is in line with IT Infrastruc¬ 
ture Library (ITIL)." 

Tools that help you manage Group Policy 
include the following: 

• NetlQ Group Policy Administrator—offers 
a change management process for GPOs, 
including offline management, versioning, 
workflow and delegation, the ability to 
replicate GPOs, and auditing and report¬ 
ing capabilities. 

• NetlQ Group Policy Guardian—alerts 
administrators when certain Group Policy 
changes occur, details and documents 
Group Policy change history, and offers 
change tracking. 

• NetPro ChangeAuditor—adds audit vis¬ 
ibility beyond native logs with coverage 
for GPOs and nested groups in addition to 
real-time auditing and reporting of AD, file 
system, and Exchange changes. 

• NetPro GPOADmin—lets you automate 
change management tasks by configuring 
workflow approval processes that include 
the ability to do offline edits to GPOs as 
well as GPO commenting, tracking, ver¬ 
sion control, backup, scheduling, and 
change auditing. 

• Quest Software Quest Group Policy Exten¬ 
sions for Desktops—lets you use Group 
Policy to implement and enforce endpoint 
security and includes tools that extend 
Group Policy to manage desktops, includ¬ 
ing the ability to configure Microsoft Office 
applications and to manage Microsoft 
Outlook remotely. 

• Quest Software Quest Group Policy Man¬ 
ager—adds version control and a new UI 
to its GPO change management solution, 
which includes archiving and rollback, a 


multilevel approval process, and the use 
of PowerShell to automate Group Policy 
management tasks. 

• SDM Software GPExpert Backup Manager 
for Group Policy—lets you manage the 
backup and recovery of GPOs and GPO 
links in your AD environment. 

• SDM Software GPExpert Scripting Tool¬ 
kit for PowerShell—helps you automate 
Group Policy management using Power- 
Shell. 

• SDM Software GPExpert Status Monitor- 
lets Help desk administrators find out 
quickly when Group Policy isn't working 
by referring to desktop event logs that 
record successes or failures in Group 
Policy processing. 

• SDM Software GPExpert Troubleshooting 
Pak—helps administrators troubleshoot 
and resolve problems in Group Policy 
processing. 

Group Policy in Your 
Future 

With its acquisition of DesktopStandard 
and the resulting new Group Policy-related 
offerings, Microsoft is giving more attention 
to configuration and management difficul¬ 
ties that have plagued Group Policy users. 
As third parties build more features into 
their Group Policy products, those tools will 
expand on what Microsoft has done. 

Sjovoid, of Specops, says, "Microsoft's 
renewed commitment to Group Policy will 
most likely encourage more ISVs to build 
solutions on top of Group Policy." Peter 
Beauregard of Beyond Trust concurs: "We 
look at what [Microsoft's] doing, and it gets 
people excited about Group Policy." Accord¬ 
ing to NetPro's Kirkpatrick, "Microsoft had a 
gaping wound with respect to management 
of Group Policy. They've put a good bandage 
on it. But they're not going to have a team of 
20 developers working on updating Group 
Policy Preferences." He adds, "There's still lots 
of room to innovate." 

Mar-Elia, of SDM Software, also sees 
room for growth: "There's a ton of untapped 
potential, stuff that Group Policy could do 
better—the engine could be more resilient, 
you could have more robust reporting, 
and you could add the ability to fail over to 
another location." He adds, "We'll see XML 
start to permeate Group Policy" as a more 
unified way of describing configuration. ^ 
InstantDoc ID 98087 
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Brent Kerby, Product Marketing Manager for AMD’s Server/Workstation Division, and Ward Ralston, 
Senior Technical Product Manager of Microsoft’s Windows Server Division, discuss energy efficiency 
and reducing the industry’s environmental impact. 


How do energy-efficient technologies contribute to an 
organization’s financial bottom line? 

Ralston: The power bill is the second largest datacenter expense, only 
trailing the phone bill. Hence, most IT departments are discovering the 
value of developing an energy strategy. Energy-efficiency technologies 
can reduce costs, reduce datacenter management demands, and free-up 
resources. With energy prices expected to keep rising, efficient technolo¬ 
gies will be even more significant to the IT budget. Environmental sustain¬ 
ability is a fundamental, long-term business strategy for Windows Server. 


Is AMD committed to reducing its environmental impact? 

Kerby: AMD is committed to managing the environmental impact of 
both its products and operations. Specifically, AMD has taken action to 
purchase renewable energy, maximize energy efficiency, and lower costs 
and reduce environmental impact through its technology design, manu¬ 
facturing innovations, and facilities design and operations. 

What are AMD’s short-term and long-term goals related to 
reducing its environmental impact? 

Kerby: AMD is focused on three things: 

1. outsourcing energy supplies with lower global-warming impact; 

2. optimizing existing manufacturing processes, associated facilities, and 
technology upgrades; and 

3. lowering gas emissions with new facilities and new equipment. 

Long term, we are committed to continued innovation toward prod¬ 
ucts that boost processor performance, and lower power consumption 
and continued work with the industry on environmental issues. 

AMD has demonstrated its commitment to energy efficiency and 
environmental stewardship by partnering in voluntary initiatives, 
including the EPA’s Climate Leaders program, Energy Star® and the 
Green Power Partnership. In 2006, AMD became one of the founding 
members of the technology industry coalition, The Green Grid, which is 
dedicated to promoting energy-efficient computing in the data center. 

How does AMD assist customers in reducing their 
environmental impact and increasing energy savings? 

Kerby: Our commitment to energy efficiency spreads throughout the 
technology ecosystem, and to customers, helping address power concerns 
at a global level. One way we manage our influence on the global climate 
is by providing customers with energy efficient technology solutions, 
because from our perspective, energy-efficiency is just as important as 
speed and performance in computing innovation. In real terms, AMD is 
helping reduce business energy costs for server processors by up to 30-50 
percent. The technologies and products we design to help customers 
build more energy efficient products include: 

1. The latest generation of AMD Opteron™ processors are geared toward 
maximizing computing power in the datacenter, while minimizing 


power consumption. Power-efficient Quad-Core AMD Opteron 
processor-based systems, utilizing DDR2 memory and Direct Connect 
Architecture with integrated memory controller, can consume less 
power at the wall than comparable systems. 

2. Dual Dynamic Power Management™ (DDPM) provides independent 
power supply to the cores and memory controller, allowing them to 
operate on different voltages, as determined by usage. 

3. The innovative Enhanced AMD PowerNow!™ Technology strengthens 
the per-watt performance capabilities of the AMD Opteron processor. 

It also increases platform investment protec¬ 
tion by reducing the strain on datacenter 
cooling and ventilation systems. 

4. AMD’s CoolCore™ Technology, can 
reduce energy consumption by turning off 
unused parts of the processor. AMD Virtualization™ (AMD-V™) 
technology for virtualization enables multiple operating systems and 
applications to run simultaneously on the same server, resulting in a 
more efficient use of hardware and a significant reduction in energy used. 

What features in Windows Server 2008 help consumers 
manage power consumption? 

Ralston: Windows Server 2008 is Microsoft’s most energy efficient 
server system to date. There are three main areas where Windows Server 
2008 can provide power savings. First, organizations will see the most 
direct power benefit from Hyper-V’s virtualization capabilities. With con¬ 
solidation of up to eight underutilized servers onto one physical server, 
organizations can immediately see significant power savings. Second, 
Windows Server 2008 has the ability to throttle power to hardware com¬ 
ponents that consume large amounts of power. The CPU, for example, 
can account for as much as 45 percent of server power. Windows Server 
2008 continually evaluates the CPU load and can reduce the CPU power 
by as much as 50 percent. Third, the next generation of multi-core CPUs 
can extract four to eight-times the processing power without increasing 
CPU power consumption. 
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I n Windows Server history, each release has been notable 
for some key technology. Windows 2000 Server was the 
Active Directory (AD) release. Windows Server 2003 was 
the security release. 

When planning began for Longhorn Server (now Win¬ 
dows Server 2008), Microsoft was preoccupied with Linux. 
Consequently, the original plans lacked significant innova¬ 
tion: Longhorn Server was an unexciting revision of Win¬ 
dows 2003 with some manageability enhancements. As time passed, 
the corresponding Longhorn client (now Windows Vista) release 
continuously slipped, holding back Longhorn Server. 

Finally, in 2005, because the original features conceived for 
Longhorn Server were finished (and to appease Software Assurance 
customers) Microsoft announced a new cadence of a "minor" release to follow two 
years after each "major" release such as Windows 2003. The result was Windows 
Server 2003 R2. R2 was notable for clearing the stage so that the actual Longhorn 
release could introduce some really interesting technology: Server 2008 debuts a 
new roles-based management paradigm enabled by componentization of the OS; 
but the features this release will be notable for are Server Core and native virtual¬ 
ization, Hyper-V (code-named Veridian). 

Just as each Server release has been noted for a technology, so has each 
release's development been led by a Microsoft engineer. Windows NT was fathered 
by Dave Cutler. Win2K finally shipped thanks to Brian Valentine. Windows 2003 
bears the imprint of Dave Thompson. Responsibility for Server 2008 rests on Bill 
Laing, general manager of the Windows Server division. 

In a recent conversation, Laing discussed Server 2008 ; s evolution, candidly 
commenting about the development of key features, lessons learned, what he 
thinks might be hard for some users, and what surprised him. 

The Role of Roles 

Forster: What were your goals for Server 2008? 

Laing: We always have the basic goals of improving reliability, security, scalabil¬ 
ity, but the notion of role-based deployment was a big change for Windows. We 
wanted the server so you could configure it by role, or by workload. The big Aha! 
moment was that customers actually say "roles." We didn't make that word up; it 
came back to us. 
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Server General 
Manager 
Bill Laing 


Forster: Didn't Windows 2003 start moving toward 
roles? 

Laing: We had Manage Your Server and Configure Your 
Server, but it wasn't a natural tool you left up the whole 
time. Now we literally don't include the bits for unde¬ 
ployed roles in the directory. They're on the disk, but 
if you don't install the role, the code for that role is not 
even there. 

Forster: What are the implications of role-based deploy¬ 
ment? 

Laing: The way I think about it is you're reducing the 
surface area, which helps you with management because 
you're only exposing the things you need for the role. If 
you don't install Media Player, you don't have to pay any 
attention to it—whether it's managing it, or patching it, 
or whatever. I think of how easy it is with Windows 2003 
to turn on File Server. Well, now you have to consciously 
go through the act of creating a file server role. You're not 
accidentally going to create shares, for example. 

Forster: Do roles enhance security? 

Laing: I'd love to claim it makes Windows Server more 
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secure. It's a tough thing to claim. But there are 
fewer moving parts. So the surface area has 
come down and it should improve security. 

Server Core 

Forster: The most important innovation is 
probably Server Core, the stripped-down 
version of the OS with no GUI. How did 
Server Core happen? 

Laing: Customers told us they wanted it— 
and I was pleasantly surprised at how much 
we were able to do in a first release. Actually, 
the people who had started doing the initial 
work came from the Embedded Systems 
group. They'd been thinking about Windows 
in embedded environments. They'd been 
doing a lot of analysis and had done maps of 
different layers of the OS. 

Forster: Untangling the dependencies within 
Windows Server must have been daunting. 
How did you deal with that? 

Laing? When we initially went into com- 
ponentization, naively, we thought there 
would be maybe 2,000 components in the OS 
and we'd just pick and choose the ones we 
wanted. The problem is you have to test all 
the ways the components can be combined, 
so you really have to choose fairly big build¬ 
ing blocks. It was clear to me that we could 
only manage a few layers initially. 

Forster: What were the challenges of apply¬ 
ing the Embedded Systems team's work to 
Windows Server? 

Laing: If you build an embedded OS, it's 
deployed in the context of, say, a Point of 
Sales terminal. It's not some general-purpose 
thing like an OS that then gets deployed 
in many scenarios. The people building 
the terminal can choose their components, 
integrate the system, and that's it. So we 
walked this fine line between how many 
components do you want and the complexity 
problem that occurs because components 
can be assembled in different ways. That's 
why we went for Core, plus—as we used 
to call it—ROS (Rest of the OS), which was 
the next building block. That was the differ¬ 
ence between Server Core, and then Server 
without the roles, and then each role being 
separate, and then ideally each feature. 

Hyper-V 

Forster: Hyper-V was a late addition and 
actually isn't a finished part of this release 
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[As I wrote this article, a beta 
of Hyper-V had shipped in 
December and another beta 
was scheduled to ship with 
Server 2008, with the final 
Hyper-V set to release within 
180 days.] How did Hyper-V 
come about? 

Laing: Around late 2003, we 
acquired Connectix (Virtual 
Server and Virtual PC). At 
that time, people thought of 
virtualization as an option 
rather than a core strategy 
for the company. The ini¬ 
tial model was to add Virtual 
Server 2005 R2 to provide a 
virtual hosting model. Then came research 
groups, such as Xen (we actually contrib¬ 
uted research into Xen), and the hypervisor 
model. And the semiconductor industry 
was developing enhancements to support 
virtualization. We said, "That's a core fea¬ 
ture of the OS." That was the change in our 
thinking—that virtualization was a core fea¬ 
ture of the OS. 

Forster: Will Hyper-V drive demand for 
Server 2008? 

Laing: Oh, yeah, I think it will. That's prob¬ 
ably the main new thing—most other things 
that we've done are somewhat evolutionary. 
That's a big-ticket item that people will go for. 
And the fact that we support Windows 2003 
and Red Hat and SUSE Linux on Hyper-V 
makes it interesting. 

Lessons Learned 

Forster: What lessons will you take from this 
release? 

Laing: Betas are important, but you don't 
get deep insight back from betas. If you do 
stupid things and you have obvious bugs, 
you get feedback. But we got most out of deep 
engagements: TAP [the Technology Adoption 
Program], the EEC [Enterprise Engineering 
Center]. In fact, I would increase our invest¬ 
ment in those kinds of programs over time 
because it's a very rich interaction. [For details 
about the EEC, see "What You Need to Know 
About the Microsoft Enterprise Engineering 
Center," July 2003, InstantDoc I D 39163 .] 
Another lesson is that you have to be flex¬ 
ible and have a structure that lets you add or 
remove things—like it was pretty seamless to 
add virtualization to the plan. It was techni- 
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cally a lot of hard work, but it 
impacted the virtualization 
team, the Server Manager 
team, and overall project 
management, but that was 
about it. 


Forster: What will be hard 
for users to learn in this 
release? 

Laing: Server Core has had a 
lot of positive feedback, but 
I wonder how many people 
are really used to having no 
GUI—just command-line 
scripting of everything. Cer¬ 
tainly a group of hard-core 
people will love it, and we'll get better as we 
get PowerShell on it. 

Forster: What surprised you about this 
release? 

Laing: I was very surprised how popular the 
RODC [read-only domain controller] is, and 
that came from people pushing it in direc¬ 
tions I didn't expect. I had a narrow picture 
of it at the beginning: It was interesting for 
branches, basically. But people have been 
pushing it into the front-end Web server so 
they can push policy out of it. It surprised 
me how popular that was because it's a 
complicated thing to do and a lot of people 
are deploying that. 

Perspective 

Windows 2000 was notable for AD. But 
industry old-timers also remember it as the 
long-delayed, ratf-Windows-NT-5.0 release. 
Thanks to Vista, the Longhorn release cycle 
will be recalled as suffering from delays 
and do-overs. But Server 2008 benefited 
from market developments over the past 
five years as Microsoft dealt with its Linux 
paranoia and recognized virtualization's sig¬ 
nificance. Nobody will remember Windows 
2003 R2 (the original vision for Longhorn), 
but Server 2008 will be noted as the Server 
Core and virtualization release. Sometimes 
delay is a good thing. ^ 

InstantDoc ID 97953 

Karen Forster 

(karen@windowsitpro.com) is group editorial and 


strategy director for Windows IT Pro and SQL Server 
Magazine and former director of Windows Server 
User Assistance at Microsoft. 


We’re in IT with You 


www.windowsitpro.com 


















/%, Windows Server 2008 










5S 


It has sharper vision for seeing across network 
resources more clearly. It has a powerful heart, 
more secure and protected than ever. It has legs 
of steel, capable of running longer, harder, more 
reliably. It's alive with innovations, like Windows 
PowerShellT Internet Information Services 7.0, 
and Failover Clustering, that will help unleash the 
potential of your servers, your IT department, 
and your business. 

Meet the new Windows Server®2008 

at serverunleashed.com 









Special Operations Software™ 


Specops Command 

PowerShell remoting through Group Policy 



Jeffrey Snover 

Windows Management Partner Architect 

Read more about Jeffrey's impressions of Specops 
Command at the MSDN PowerShell blog: 

http://blogs.msdn.com/PowerShell/ 


Q* Specops Command ™ 

We bring you the future of 
scripting , today! 


Microsoft 

GOLD CERTIFIED 

Fortner 


Security Solutions 
ISV/Soltware Solutions 


- For more information about Specops Command and how to download 
your FREE limited version please go to: 

http://www.specopssoft.com/powershell 






■ v V ■ m m w r 

SERVER 


IKiTiTil 

New read¬ 
only domain 
controller 
tightens 
branch office 
security 


n . Active 
Directory 

Enhancements 


IN 


WINDOWS SERVER 2008 


W indows Server 2008 contains a variety of enhancements to Active Directory (AD) 
services. A standout AD feature change is the new read-only domain control¬ 
ler (RODC). As the name indicates, this enhancement adds a read-only mode 
for DCs, so you can't write changes to the AD database, and you can replicate 
only one way from other DCs. However, unlike the Windows NT Server 4.0 Backup Domain 
Controllers (BDCs), which might come to mind, an RODC can be configured to store only the 
passwords of specified users and computers. This limitation reduces 
the risks in case an RODC is compromised. The Server 2008 RODC 
feature, because it has the potential to reduce attack vectors thus 
improving physical security, will have a major impact on how you 
deploy and manage DCs in branch offices and the perimeter network 
(aka the DMZ). 

Before I examine the RODC, HI show you other enhanced AD 
features in Windows 2008. HI walk you through the AD functional 
levels, both the domain functional levels (DFL) and the forest func¬ 
tional levels—FFL). This should give you a good understanding of the 
requirements for deployment of RODC and other new options, such 
as Fine-grained password policies (FGPP) and DFS replication for 
SYSVOL, which HI cover here. In addition, HI discuss changes made 
to DNS in Windows 2008 so that the DNS service works with smoothly 
with RODC. 

For a quick overview, see Web Table 1 (www.windowsitpro.com, 

InstantDoc ID 98061) which lists the RODC and other important 
enhancements to AD. 


by Guido 
Grillenmeier 


Windows Server 2008 
Editions Supporting 
RODCs 

T he x86 (32-bit) and x64 editions of Server 2008 
feature the RODC mode in all editions (Standard, 
Enterprise, and Datacenter). However, because the 
Itanium edition of Server 2008 doesn’t support the 
AD Domain Services feature, Itanium also doesn’t 
support RODCs. On all Server 2008 versions, you can 
deploy RODCs on the Server Core install option. (For 
details about Server Core, see the Learning Path on 
page 37.) 
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Names for AD Services Change 
in Windows Server 2008 

A minor but important Active Directory (AD) change in Windows Server 2008 is one that 
will take some getting used to. To better differentiate the versions of AD, Server 2008 
introduces new names for important services. Table A shows these name changes. 

InstantDoc ID 98062 


Table A: New AD Service Names 

Old 

New 

AD: Active Directory 

AD DS: Active Directory Domain Services 

ADAM: Active Directory 

Application Mode 

AD LDS: Active Directory Lightweight 
Directory Services 


AD Functional Levels 

The RODC requires at least FFL2 (Windows 
2003). What does this mean? Let's look at 
the background of AD functional levels. 
AD functional levels were introduced with 
Windows Server 2003 to avoid conflicts 
between AD features specific to each OS 
version. Such conflicts can occur when 
multiple OS versions are deployed on DCs 
in an AD domain or forest. Functional levels 
are especially important when you want to 
introduce changes that affect the AD rep¬ 
lication mechanism or other domain- or 
forest-wide features that downlevel ver¬ 
sions of the Windows Server OS don't 
understand. 

For example, suppose you're upgrad¬ 
ing from a Windows 2000 (Win2K) forest, 
which is functional level 0, to a Windows 
2003 forest. After all DCs in a domain are 
upgraded or replaced with Windows 2003 
DCs, you can increase the domain's func¬ 
tional level (DFL) to DFL2 (Windows 2003). 
DFL2 enables features such as DC Rename 
and the ability to write the last logon time- 
stamp. After you switch all domains in a 
forest to DFL2, you can finally upgrade 


the entire forest's functional level (FFL) to 
FFL2 (Windows 2003). FFL2 introduces fea¬ 
tures such as transitive forest trusts, domain 
rename, and linked value replication (LVR). 
LVR is a major improvement for the replica¬ 
tion of large multi-valued attributes such 
as group membership. With LVR, if you 
make changes (e.g., adding or removing a 
member to or from a group) to a long list of 


values, only those changes are replicated to 
other DCs, instead of replicating the whole 
list of values with every change of the list, as 
Win2K DCs do. 

Note that many new features in Server 
2008 AD don't have a specific requirement 
for a DFL or FFL, but a minimum of DFL2 
and FFL2 is desirable. Microsoft made an 
effort to ensure implementation of RODCs 
in domains hosting Windows 2003 DCs. This 
allows companies to deploy RODCs without 
first having to upgrade the whole domain or 
forest. But expect some Windows 2003 hot¬ 
fixes along with Server 2008 to help make the 
two DC versions work smoothly with each 
other in the same domain. (For information 
on deploying RODCs in a forest containing 
Windows Server 2003 DCs, see the Learning 
Path on page 37.) 

Four new features are enabled when you 
switch to DFL3 (Server 2008). Two of those 
affect AD design: the ability to assign differ¬ 
ent password policies to users in the same 
domain and the use of DFS replication for 
SYSVOL. No new AD features are enabled 
after you switch the forest to FFL3 (Server 
2008)—i. e., once all DCs in the forest are run¬ 
ning Server 2008. However, switching to FFL3 
means that all domains in the forest must run 
Server 2008 DCs and that no domains or DCs 
with a legacy OS can be added to the forest. 
See Table 1 for a summary of new AD features 
by functional level. 

Fine-Grained Password 
Policies 

For OS versions prior to Server 2008, an 
AD domain can have only one password 


Table 1: New AD Features per Functional Level 

Domain or Forest Functional Level 

New AD features with Windows Server 2008 

Forest functional level (FFL) 2 
(Windows 2003) 

Read-only DCs 

Domain functional level (DFL) 3 
(Server 2008) 

Fine -grained password policies 

Support for DFS replication for SYSVOL 

Domain-based DFS scalability and security 
enhancements 

AES 256 support for Kerberos protocol 

FFL 3 (Server 2008) 

None (other than ensuring that no new legacy DCs or 
domains are added to forest) 


Table 2: Password Settings Attribute Values 

Password Setting 

Attribute Value 

Common name 

My-ServerAdmin-PSO 

Password settings precedence 

10 

Reversible encryption 

False 

Password history 

24 

Password complexity 

True 

Minimum length 

15 

Minimum age 

00:00:05:00 (5 minutes - all the time-values have to be 
entered in this dd:hh:mm:ss format) 

Maximum age 

30:00:00:00 (30 days) 

Lockout threshold 

10 

Lockout observation window 

00:01:00:00 (1 hour) 

Lockout duration 

99:00:00:00 (99 days) 
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policy that applies to the user accounts in 
the domain. The password policy deter¬ 
mines rules for password length, expiration 
date, and complexity for every account 
in the domain. Because these settings are 
defined via a Group Policy Object (GPO— 

i.e. the domain's Default Domain Policy), 
many administrators thought they could 
apply multiple password policies simply 
by adding different GPOs at different orga¬ 
nizational unit (OU) levels in the domain. 
However, these GPOs applied only to the 
computer's objects located in the respec¬ 
tive OUs and would thus affect only local 
accounts on those computers. Many com¬ 
panies found this situation disappointing 
and confusing. 

Server 2008 changes this limitation by 
introducing Fine Grained Password Policies 
(FGPP). This feature is available only when 
all DCs in a domain are running Server 2008 
and the domain has been switched to DFL3 
(Server 2008). Although DFL3 still won't let 
you apply different password policies to dif¬ 
ferent OUs, DFL3 does let you define different 
password policies directly to a user account 
or to a group. Note that these policies also 
allow you to set different lockout rules. So, 
for example, you can set sensitive accounts 
to lock out after fewer attempts than with 
ordinary user accounts. To reduce the overall 
management effort, the best practice is to 
specify policy at the group level rather than 
the user level. 

Because users can be members of mul¬ 
tiple groups, potentially more than one of 
which is assigned a password policy, Server 
2008 AD includes a feature to determine 
the resulting policy for any user. In case no 
policies have been assigned to the user or 
any of the user's group memberships, the 
default domain policy applies. This feature 
gives companies flexibility in setting pass¬ 
word policies. Although most companies 
have learned to live with the pre-Server 2008 
limitations of a single password policy per 
domain, some organizations have deployed 
different domains just to allow creation of 
different policies. With Server 2008, you can 
use FGPP instead. Companies can consoli¬ 
date domains previously used for different 
password policies and eliminate the hard¬ 
ware and operational costs associated with 
additional domains. Most companies will 
value the ability to enforce tighter policies 
for sensitive accounts in a domain, such as 

www.windowsitpro.com 


the administrative accounts and those used 
by services. 

You manage the new password policies 
via Password Settings objects (PSO) cre¬ 
ated in the Password Settings Container 
in the system container of an AD domain. 
Currently, no native GUI or scripting tools 
are available from Microsoft to manage 
PSOs. Although ADSI Edit is not the sexiest 
GUI to work with for this purpose, this tool, 
which is now installed natively on every 
DC, works well to allow easy creation and 
management of PSO objects. Other UIs and 
new PowerShell cmdlets might be made 
available by Microsoft in the future, but 
already there are various tools available for 
free on the Internet to download and man¬ 
age PSOs. See the Learning Path for more 
information on tools. 

Using ADSI Edit to 
Create PSOs 

Using ADSI Edit, you can create PSOs in five 
steps: 

1. Ensure that allyour DCs inyour domain 
are running Server 2008 and that you've 
switched to Server 2008 domain functional 
mode (for example, by using the Microsoft 
Management Console-MMC-snap-in AD 
Users and Computers). 

2. Start Adsiedit.msc and connect to 
the default naming context (DC=<your 
domain>), then browse to the following 
container: CN=Password Settings Container, 
CN=System,DC=<your domain> 

3. Right-click the Password Settings Con¬ 
tainer object and select New, Object. 

4. Use the Create Object wizard, to cre¬ 
ate a new msDS-PasswordSettings object. 
Create the object with the attribute values 
shown in Table 2. The resulting new Pass¬ 
word Settings Object, My-ServerAdmin- 
PSO (along with other settings), requires 
specified users to enter a 15-character 
password that needs to be changed every 
30 days. To take effect, the PSO still needs to 
be applied to user or group objects, which is 
the next step. 

5. Apply the newly created PSO by view¬ 
ing the properties of the My-ServerAdmin- 
PSO object in ADSI Edit and editing the 
msDS-PSOAppliesTo attribute. Enter users 
or groups (i.e., those that users must be a 
member of) to apply the policy to your target 
users. For example, I created a group called 
My-ServerAdmins. 

We’re in IT with You 


Learning Path 


WINDOWS IT PRO RESOURCES 

“Sampling Server Core,” InstantDoc I D 96438 
“Understanding Trust Transitivity,” InstantDoc 
I D 93714 

MICROSOFT RESOURCES 

“AD DS: Read-Only Domain Controllers” 
technet2.microsoft.com/windowsserver2008/ 
en/library/ce82863f-9303-444f-9bb3- 
ecaf649bd3ddl033.mspx?mfr=true 
“Domain Controllers Running Windows Server 
2003 Perform Automatic Site Coverage for 
Sites with RODCs” 

technet2.microsoft.com/windowsserver2008/ 

en/library/c0ec828b-7da2-4627-9la8- 

2a53l2a3ceaal033.mspx?mfr=true 

“Identity and Access in Windows Server 2008” 
microsoft.com/windowsserver2008/ida-mw.mspx 
“Manage Windows Server 2008 DNS role” 
forums.microsoft.com/TechNet/ShowPost.aspx? 

PostlD=l9l6586&SitelD=l7&pageid=0 
“R0DC Features” 

technet2.microsoft.com/windowsserver2008/ 
en/library/0e8e874f-3ef4-43e6-b496- 
302a47l0le6ll033.mspx?mfr=true 
“R0DC Frequently Asked Questions” 
technet2.microsoft.com/windowsserver2008/ 
en/library/e4le0d2f-9527-4eaf-b933- 
84f7d3b2c94al033.mspx?mfr=true 


Tools for managing PSOs: 

“ADSIedit Overview” 

technet2.microsoft.com/WindowsServer/ 
en/library/ebca3324-5427-47la-bcl9- 
9aaldecd3d40IQ33.mspx?mfr=true 
“PSO Mgr” 


joeware.net/freetools/tools/psomgr/ 


“View a Resultant PSO for a User or a Global 
Security Group” (desget command with 
effective pso option) 

technet2.microsoft.com/windowsserver2008/ 
en/library/2la35cbb-398d-4ab4- 
a6f8-39b76fb0323bl033.mspx? 
mfr=true 


Using DFSR for SYSVOL 

A key enhancement of Windows Server 
2003 R2 was a new, efficient file replica¬ 
tion service. Surpassing its predecessor in 
integration with DFS, the new file replica¬ 
tion service was called DFS Replication 
(DFSR). A major new feature was the ability 
to restrict the replication traffic to just the 
changes in files between two DFS replicas. 

So if a file of many hundred megabytes is 
changed by just a few bytes, DFSR ensures 
that only the changed bytes are replicated 
to the various replication partners. Pre¬ 
viously, with NT File Replication System 
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Figure 1: Windows 2000/2003 branch-office DCs can negatively impact the whole AD forest 


(NTFRS), any change in a file (including 
changes to attributes such as a file's NTFS 
permissions) caused the whole file to rep¬ 
licate. Now Server 2008 adds even more 
scalability enhancements to DFSR, such as 
an increased number of parallel file replica¬ 
tion threads, and the removal of the 5,000 
DFS targets limit per AD-integrated DFS 
root. (Now DFS roots can have an unlimited 
number of DFS targets.) 

Ever since the availability of DFSR in 
Windows 2003 R2, AD administrators had 


hoped to leverage this new service for SYS- 
VOL, after upgrading all DCs to Windows 
2003 R2. However, this was not possible— 
SYSVOL had to keep using the inefficient 
NTFRS engine for replicating their Group 
Policy changes and the contents of the 
scripts folder (NETLOGON share). The inef¬ 
ficiency of NTFRS was actually one cause for 
AD architects to sometimes design multido¬ 
main forests, merely to reduce the NTFRS 
traffic if a large company had many slow 
high-latency network links that DCs needed 
to replicate across. 

Server 2008 will finally make 
DFSR available for replication of 
SYSVOL between DCs. All DCs in 
a domain must be running Server 
2008, and the domain must be 
switched to DFL3 (Server 2008). 
However, in contrast to some other 
replication-related features, the 
switch to DFL3 does not auto¬ 
matically change the replication 
of SYSVOL from NTFRS to DFSR. 
A fairly cumbersome procedure, 
which uses the new DfsrMig.exe 
tool available on every DC, lets 
you create a new DFS root for the 
SYSVOL content. This new root 
uses DFSR while the original SYS¬ 
VOL still uses NTFRS. As part of 
the migration process, you copy 
the original SYSVOL contents to 
the new SYSVOL folder, called SYS- 
VOL_DFSR by default. 


After you switch to 
DFL3 and migrate to 
DFSR for SYSVOL, the 
SYSVOL share will lever¬ 
age the new SYSVOL_ 
DFSR folder. From then 
on, the SYSVOL share's 
contents will replicate 
much more efficiently. If 
you're planning a new 
AD forest, inefficient 
SYSVOL replication will 
no longer be a reason to 
design a multi-domain 
forest. 

DNS 

Changes 

I don't have the space 
here to explain all of the 
DNS changes in Server 
2008. (See the Learning Path on page 37 for 
information on Server 2008 DNS.) For this 
overview, you need to know that DNS has 
been updated to allow read-only zones, 
which are required to support the DNS 
service with the RODC role. The new read¬ 
only zones are similar to secondary DNS 
zones, except that the read-only zones are 
integrated in AD and can only be hosted on 
an RODC. As you might guess, a read-only 
DNS zone won't accept dynamic updates 
from clients. So a special mechanism for 
RODCs ensures that clients are directed 
to the nearest writable DNS server for 
dynamic DNS registrations and update 
requests. Within five minutes after telling 
a client which server to update the DNS 
information on, the RODC's DNS service 
will try to connect to that same DNS server 
to instantly replicate the DNS changes to its 
own database. 

Another new AD-related DNS feature 
allows clients to locate DCs in the "next clos¬ 
est site" when they can't connect to a DC in 
their own site, avoiding potentially slow con¬ 
nections to other remote DCs during failover. 
This new capability, a function of the DNS 
clients on Windows Vista and Server 2008, 
uses site-topology information and site-link 
costs stored in AD to determine the next 
closest site, before querying DNS to provide 
a DC in the respective site. This feature has 
been back-ported to Windows XP in the lat¬ 
est service pack. It can be enabled via Group 
Policy Object (GPO): 
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Figure 3: Using Server 2008 AD to restrict writable DCs to trusted networks 


• Path: Computer Configuration\ 
Administrative Templates\ 

System\Net Logon\DC 
Locator\DNS Records 

• Enable settings: "Try next clos¬ 
est site" 

What’s the Big 
Deal with RODC? 

A challenge with any Win2K or 
Windows 2003 AD deployment 
has always been the placement 
of DCs in remote sites (such as 
branch offices) that aren't neces¬ 
sarily as physically secure as a 
company's data center. 

Except for special Operations 
Master (FSMO) roles such as the 
Schema Master and the PDC 
emulator, all DCs prior to Server 
2008 are basically equal. Admin¬ 
istrators of any Win2K or Win¬ 
dows 2003 DC can write changes 
to the AD database and can replicate these 
changes to other DCs in their AD domain 
or forest. Therefore changes performed on 
a single DC can affect the whole domain or 
even the whole forest. A malicious user with 
physical access to a DC, say, in a branch 
office, can fairly easily make an elevation-of- 
privilege attack to damage or even destroy a 
company's entire AD forest and dependent 
services. 

As shown in Figure 1, the malicious 
change on the rightmost branch-office DC 
replicates out to the central hub DC, which 
then replicates that change to all other DCs 
in the enterprise. Furthermore, because all 
DCs always copy the full AD domain parti¬ 
tion, including the passwords of all users 
and administrators in that domain, a com¬ 
promised DC would also allow a thief to 
perform password cracking attacks against 
the DC's AD database, enabling additional 
remote attacks. (See that thief in Figure 1? He 
just stole a DC.) 

The Server 2008 RODC was designed 
to reduce such risks. You can use an RODC 
in locations that might not offer the same 
physical security as a datacenter but require 
rapid, reliable, and robust authentication 
services, even if the network link to a 
remote datacenter is not available. Compa¬ 
nies that require such authentication qual¬ 
ity in their branch offices no longer have 
to deploy ordinary writable DCs into these 


sites. Organizations now have the option 
to deploy RODCs, which by default don't 
replicate passwords locally and never rep¬ 
licate local changes back to any other DC. 
RODCs have a one-way only replication 
connection agreement with their writable 
DC replication partner. Various changes in 
Server 2008's underlying replication archi¬ 
tecture ensure that this agreement can't 
be changed. For example, RODCs aren't 
members of the Enterprise Domain Con¬ 
trollers security group, which grants write- 
able DCs various write permissions to the 
AD database. 

Password Replication Policies (PRP) 
determine which passwords to replicate to 
an RODC. Determining how to configure 
PRPs for your company will be a key chal¬ 
lenge for the management of RODCs. PRPs 
are managed per RODC and provide a list 
of groups, users, or computer accounts that 
are either allowed or denied permission to 
cache their password on an RODC. The PRPs 
are stored with the computer account object 
of the respective RODC in AD, as Figure 2 
shows. 

Deploying RODCs is an extremely 
attractive proposition to increase security 
in branch office and DMZ deployments. As 
Figure 3 shows, you would deploy writable 
DCs in a Server 2008 AD infrastructure only 
in fully trusted networks (data centers). You 
can safely deploy RODCs in edge networks. 


As a result, an AD infrastructure attack 
like the scenario shown in Figure 1 is now 
limited to the attacked RODC in the branch 
office. And because the RODC doesn't store 
any administrator user secrets (passwords) 
by default and will typically be configured to 
cache only the passwords of the users in the 
RODC's site, a stolen RODC doesn't pose the 
same risk to a company that a fully writeable 
DC does. 

An RODC can also be a Read-Only Global 
Catalog (ROGC). Note however, that while 
ROGCs are supported to be used as GAF 
servers for Outlook clients, they aren't sup¬ 
ported as GCs for use by Exchange servers. 

This will have an impact on administrators 
who want to deploy the RODC in a branch 
office but also maintain a local Exchange 
server. 

You can compare the features of an 
RODC with those of a proxy server. If a user 
is authenticating in a site that has an RODC, 
the user's client will locate this RODC like 
any other DC and attempt to authenticate 
to the RODC. In fact, clients usually won't 
know if they're talking to a writeable DC or 
an RODC, because the RODC will retrieve 
all the data it needs on behalf of the client. 
When the user authenticates for the first 
time to this RODC, the RODC will need to 
talk to a writeable DC (usually across the 
WAN to a DC in a hub site) and authenticate 
the user against this writeable DC. If the 
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Windows Server 2008 is off in the distance for many 
f I IT pros, but for intrepid early adopters like IT services 
firm Heartland Technology Solutions, business needs 
are driving a leading-edge migration. In this month's 
IT Pro Hero, we talk with Arlin Sorensen, the firm's 
, president and CEO, about his company's experiences test¬ 
ing Server 2008 and the benefits he expects to gain from the 
upgrade. Check out the interview at InstantDoc ID 98122. 


RODC is allowed to cache the user's pass¬ 
word hash, as determined by the RODC's 
PRP, the RODC will be able to fully authen¬ 
ticate the user the next time without needing 
to contact a writeable DC. 

RODCs have other attractive features 
that distinguish them from writable DCs: 
For example, you can delegate local admin¬ 
istrator rights (or other roles) to domain 
users or groups to a specific RODC, without 
granting the users any special rights in your 
AD domain. You do so by using the man- 
agedBy attribute of an RODC computer 
object or by assigning local roles through 
NTDSUTIL. This capability saves you from 
requiring a domain admin account for 
maintenance tasks on branch-office DCs 
that can also be performed by users with 
lower privileges. (This includes the task 
of promoting new DCs.) This capability is 
restricted to RODCs. 

More to Learn 

Server 2008 debuts several major AD 
enhancements, which are introduced this 


article. RODC is clearly the feature that 
Microsoft spent most effort on, as you 
can see by looking at the changes RODC 
required Microsoft to make to Server 2008's 
underlying replication architecture. The 
Learning Path lists some further resources 
on Server 2008 AD enhancements and 
RODC. ♦ 
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I f you plan to deploy business versions of Windows Vista or any version ofWindows Server 
2008—which you'll do eventually—you need to understand Volume Activation. A VA 
infrastructure is necessary for companies with more than a few hundred Vista or Server 
2008 systems. Without this infrastructure, every volume-licensed build of these systems 
will eventually fail. In this article I define VA, explain how it works, and offer straightforward 
recommendations for deploying it in common situations. 


by Sean 
Deuby 


Volume Activation Overview 

Volume Activation 2.0 (VA2) is a major rework of Microsoft's original volume licensing technol¬ 
ogy. In volume licensing, one Volume License Key (VLK) was used to activate an unlimited 


number of systems. This method required strong security 
to ensure the VLK was never compromised; if a key was 
"leaked" and became available on the Internet, Microsoft 
had to deactivate the key, and all the systems that used the 
key had to be rekeyed. VA2 avoids this problem by requir¬ 
ing every Vista or Server 2008 build that's configured for 
volume licensing to activate with Microsoft, either directly 
or by proxy. 

In VA2, volume builds of the OS use one of two activa¬ 
tion methods: Multiple Activation Key (MAK) or Key Man¬ 
agement Service (I<MS). A MAK is similar to a VLK, but 
it has some important differences. A MAK has a limited 
number of activations associated with it, whereas a VLK is 
unlimited. Every activation instance that uses a MAK must 
verify with Microsoft; no verification is necessary with the 
VLK method. I<MS is a client/server system that activates 
multiple clients without requiring any action from the 
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system's users. Unlike in a MAK activation, a 
system that uses I<MS doesn't have to contact 
Microsoft individually. Rather, the I<MS hosts 
themselves activate the license with Micro¬ 
soft on the client's behalf. Microsoft expects 
that medium and large organizations that 
use VA will use I<MS to activate most of their 
systems. 

Before we delve into I<MS and MAK 
activation in detail, let's look at the five pos¬ 
sible license states for VA clients. (Note that 
only the first state requires no action.) The 
first and most common state is Licensed, in 
which the client is activated and functioning 
normally. Next is Initial Grace or Out-Of-Box 
Grace; this period occurs after the VA client is 
first installed. Out-of-Tolerance Grace occurs 
when hardware changes on an activated 
system push the system beyond a tolerance 
level. Non-Genuine Grace occurs when a sys¬ 
tem that has the Windows Genuine Advan¬ 
tage (WGA) ActiveX control installed fails 
Genuine Activation. All of these license states 
have a grace period of 30 days. Finally, Unli¬ 
censed occurs when any of the grace periods 
expire. In the Unlicensed state, a system runs 
in reduced functionality mode (RFM). 

Note that the Unlicensed state behavior is 
different in Vista SP1. If you're using a system 
that hasn't been activated and gone through 
the 30-day activation grace period, when you 
log on to the system on the 31st day, you'll see 
a dialog box on a plain black background. 
You'll have two options: Activate Windows 
now, which will bring up all the options to do 
so; or activate Windows later, which will take 
you directly to the desktop. Your desktop will 
appear as before, except you'll have a plain 
black background and a message in the lower 
right corner over the system tray telling you 
that your copy of Windows isn't genuine. 


the KMS system to be highly scalable so it 
requires a minimum of KMS hosts. 

KMS-configured systems must renew 
with the KMS host on a regular basis, other¬ 
wise they'll eventually fall into the Unlicensed 
state and essentially be unusable until they 
reactivate with a KMS host. The reason such 
a critical piece of Microsoft infrastructure 
requires so few servers is that the Software 
Licensing Service has very loose require¬ 
ments compared with other services. When 
a KMS client is first built (either a Vista client 
or a Server 2008 server), it has 30 days to 
activate. This initial grace period can be reset 
three times. During this period, the client tries 
every two hours to activate. After the client 
successfully activates, it attempts to contact 
a KMS host once every seven days by default 
to renew its activation another six months. 
Each client has a six-month countdown 
timer that resets whenever the client renews 
with a KMS host; if the client can't renew for 
some reason, the timer keeps counting down, 
attempting again every week, until the client 
either renews or falls into the Unlicensed 
state. So a client attempts to reach a KMS host 
approximately 25 times. Also, the 15-second 
Time to Live (TTL) value of each KMS request 
is extremely long by other services' standards 
and the data exchange is quite small, so the 
network proximity of the KMS host to the 
clients isn't especially important. 

KMS Installation 

KMS can be installed on Server 2008, Win¬ 
dows Vista, or Windows Server 2003 SP1. It's 
available on both x86 and x64 architectures 
for all platforms. No extra software is nec¬ 
essary for Server 2008 or Vista, but to run 
KMS on Windows 2003, go to the Microsoft 
downloads Web site (www.microsoft.com/ 


Key Management Service 
Architecture 

The KMS VA system consists of one or more 
KMS hosts (servers) that activate clients 
configured to use KMS. These clients locate 
a KMS host by one of several methods and 
request the host to activate them. The KMS 
host uses a special KMS key to activate with 
Microsoft, then acts as a proxy to activate its 
own clients; the clients don't need to contact 
Microsoft to activate. A host can activate 
an unlimited number of clients. As a result, 
Microsoft generally provides only one KMS 
key for an organization. Microsoft designed 
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downloads), search for "KMS on W2K3 SP1,'' 
then download and install either I<MSW2K3_ 
EN-US_x86.zip or KMSW2K3_EN-US_x64 
.zip. Both the KMS host and KMS client are 
part of Microsoft's Software Licensing Service 
(slsvc.exe)—but KMS on a Windows 2003 
server is referred to as the Software Protection 
Platform service. 

Although KMS is available on Vista, I don't 
recommend this configuration. Instead, I 
suggest that you use a KMS host on a server 
OS. Such a critical infrastructure service 
should be installed on an existing server or 
added as a regular production server. 

The main utility to control a KMS host is 


a straightforward script, slmgr.vbs, which is 
located in the \system32 folder of volume 
license versions of Server 2008 and Vista. The 
most common switches you'll use are 

• -ipk—Install product key 

• -ato—Activate 

• -dli—Display license information 

• -xpr—Expiration date for current license 
state 

• -skms—Direct connection (vs. auto¬ 
discovery) 

The first step in installing a KMS host is 
to install a volume license version of the OS. 
A volume license OS version won't prompt 
you to provide a license key when you build 
it. When the installation is complete, use the 
following command to install the KMS key 
provided by Microsoft: 

SLMGR.VBS -ipk <KMS key> 

Note that the KMS key isn't a MAK. Don't 
give this key out indiscriminately; it's good 
for only six activations, intended for six KMS 
instances or rebuilds, for your entire com¬ 
pany. Each of these instances can be reac¬ 
tivated as many as nine times. After you 
install the KMS key, you must activate it with 
Microsoft. This action authorizes, by proxy, 
all the activations the KMS host will perform. 
The most common way to activate the KMS 
host is by directly contacting Microsoft via the 
Internet. This method is called online activa¬ 
tion, and is executed simply by entering 

SLMGR.VBS -ato 

If your KMS host doesn't have Internet 
access, you can call Microsoft and follow a 
mostly automated activation process. To find 
the Microsoft number to call, enter 

SLUI.EXE 4 

and follow the on-screen instructions. 

KMS Location and 
Discovery 

After your KMS host is up and running, your 
clients must be able to find it. You can forcibly 
point the clients to the host (called a direct 
connection), or you can let clients find the 
host themselves (called auto-discovery). To 
set up direct connection on a KMS client, 
simply run 
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SLMGR.VBS -skms «KMS_FQDN or 

IP>[:<port>] 

on the client. I<MS_FQDN is the Fully Quali¬ 
fied Domain Name (FQDN) of the I<MS host 
(or you can enter its IP address). You can also 
specify what port the client should connect 
to, if it's other than the default of 1388. 

Auto-discovery is a more complicated 
matter. For auto-discovery, I<MS uses the DNS 
SRV record to publish its service into a DNS 
zone. Following the _service._protocol format 
of the SRV record, a record for I<MS would 
look like _vlmcs._tcp.mycompany.com. 

When it performs auto-discovery, the 
KMS client queries DNS for a list of servers 
that have published the _VLMCS record for 
the zone it's a member of. DNS returns the 
list of KMS hosts in random order, and the 
client picks one and attempts to establish 
a session with it. If this attempt works, the 
client caches the server and attempts to use 
it for the next renewal attempt. If the session 
setup fails, the client picks another server at 
random. The KMS locator process works a 
little like the domain controller (DC) locator 
process (which also looks for an SRV record), 
but it's simpler. For example, the client can't 
look up KMS hosts by site because doing so 
isn't necessary for the simpler requirements 
of the KMS service. Nor does KMS use weight 
and priority, which are options available in 
the SRV record to sort the result list. 

A KMS host configured for auto-discovery 
doesn't automatically publish SRV records 
to DNS in any zone other than the one 
in which it resides. This means you must 
manually publish SRV records into all other 
DNS zones—for example, the other child 
domains in a domain tree. To do so, you 
must enter each zone KMS should publish 
to in the HI<EY_LOCAL_MACHINE \SOFT 
WARE\Microsoft\Windows NT\Current 
Version\SL\DnsDomainPublishList subkey's 
REG_MULTI_SZ value. Use a separate line to 
enter each zone in which you want KMS to 
publish itself. Remember that the KMS host 
itself must have rights in the target zone to 
create these records, and that the zone must 
be able to resolve the host name in the SRV 
record. If you have many domains—espe¬ 
cially domains that don't trust the domain 
your KMS host resides in—this configuration 
can become one more manual list that must 
be kept in sync with your active domain list. 

KMS auto-discovery is integrated with 


DNS, not Active Directory (AD); it works just 
as well with non-Windows DNS as it does 
with AD-integrated DNS. Any DNS server 
that supports SRV records (per RFC 2782) 
and dynamic updates (per RFC 2136) will 
support KMS client auto-discovery and KMS 
SRV record publishing. BIND 8.x and 9.x sup¬ 
port both SRV records and DDNS. 

KMS Odds and Ends 

A KMS host itself doesn't provide much 
information about its operation. Instead, 
a Microsoft Operations Manager (MOM) 
management pack for KMS is available at 
the Microsoft downloads Web site (www 
.microsoft.com/downloads). The manage¬ 
ment pack generates alerts for the major con¬ 
ditions that can cause KMS-related activation 
problems, such as initialization failures and 
DNS SRV record publishing failures. It also 
provides a wide range of reports on client 
activations through KMS. 

Once activated, a KMS host will activate 
an unlimited number of clients. However, 
the host won't begin activating clients until 
it receives a certain number of activation 
requests from physical (i.e., not virtual) 
machines. This is called the activation thresh¬ 
old. Vista's threshold is 25 systems, whereas 
Server 2008's threshold is 5 systems. 

Suppose you have an environment with 
500 volume-licensed Vista systems and one 
KMS host on a shared production network. 
As these systems begin appearing on the 
network, they will attempt to activate with 
the host they've found, either through auto¬ 
discovery or direct connection. The host will 
record each attempt, but not activate the 
clients until 25 separate clients have con¬ 
tacted it. The original 25 clients, when not 
activated by the KMS host, will simply retry 
until the KMS host has reached its activation 
threshold, at which point they'll be activated 
normally. These thresholds are exclusive for 
each type; if KMS has reached its 25-client 
Vista threshold but not its 5-client Server 
2008 threshold, it won't activate Server 2008 
servers until that threshold is reached. 

A KMS host doesn't track all its licensed 
clients; it records only the last 50 activations 
to make sure the service is working correctly. 
It also doesn't pay attention to other KMS 
hosts in the network or share activation infor¬ 
mation between them. No upper limit exists 
for how many activations a KMS host can 
perform after it reaches its activation thresh¬ 


old; volume licenses aren't a limited resource 
on its network. As many as six KMS hosts can 
be activated with one VLK, and each KMS 
host can be reactivated as many as nine times 
(e.g., if a KMS host must be rebuilt). 

Using KMS rather than a MAK solution to 
activate clients has several advantages. First, 
KMS clients don't need Internet or telephone 
access to activate their systems; they just need 
to be able to communicate with a KMS host. 
Second, there's nothing to back up or restore 
on a KMS host. You simply rebuild, reinstall 
the VLK, activate, and it's ready to go. Third, 
the KMS infrastructure is very lightweight 
and scalable; one KMS host with a hot spare 
in case of failure can service many tens of 
thousands of clients. Ultimately, the deciding 
factor for how many KMS hosts you use isn't a 
matter of scalability; it's your network configu¬ 
ration and your political landscape. If a sub¬ 
stantial number of your clients can't contact a 
KMS host because of network segmentation, 
you'll have to land another host. And because 
KMS is a critical part of your infrastructure, 
strongly independent business groups might 
want control over their own KMS host. 

Although Server 2008 and Vista require 
different VLKs, a KMS host can hold only one 
activation key. So how can one key activate 
both Server 2008 and Vista systems? Micro¬ 
soft created key groups , which is a hierarchy 
of licensing keys based on the products you 
purchased for volume license. The groups 
range from Vista to server groups A through 
C, where each server group increases in 
complexity (and cost). Vista key groups can 
activate only Vista systems. Server group A 
can activate Windows Web Server 2008 and 
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Vista; server group B can activate Server 2008 
Standard and Enterprise editions, as well as 
Web Server 2008 and Vista. Server group C 
can activate everything—Windows Server 
2008 Datacenter, Windows Server 2008 for 
Itanium-based Systems, Server 2008 Stan¬ 
dard and Enterprise editions, Web Server 
2008, and Vista. When you purchase volume 

The most 
important 
principle to 

remember when 
building a VA2 
infrastructure is to 
keep it simple. 

licenses, you're provided with a key group 
that matches the products you purchase. 
Installing that key on your KMS host then 
activates all the less-expensive products. 

Multiple Activation Keys 

MAKs don't require a specific infrastructure. 
Your company requests and pays for one 
MAK with a certain number of activations. 
You can activate the target system with the 
MAK in any of several ways—with an unat¬ 
tend file, manually from the Windows inter¬ 
face, or via a script. Every MAK installation 
must validate with Microsoft's activation 
servers to complete successfully. Typically 
you'd use direct activation, in which the client 
itself activates directly with Microsoft, either 
via the Web or by phone. The Web activa¬ 
tion is simple and works in the same way as 
earlier activation methods do (e.g., Windows 
XP activation). Activating by phone requires 
that you call a phone number and read 
aloud or enter an alphanumeric sequence on 
your phone, after which an operator reads a 
sequence of numbers that you enter into the 
corresponding key field. 

If your clients don't have direct access 
to the Internet (e.g., in a secured lab), or 
they don't have the administrative rights 
necessary for MAK activation, Microsoft 
offers a proxy activation method that uses 
the Volume Activation Management Tool. 
VAMT, which is available from the Microsoft 
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downloads Web site (www.microsoft.com/ 
downloads), is designed for installation on a 
notebook that can move between the closed 
network and a network with Internet access. 
When on the closed network, VAMT applies 
one or more MAKs installed on it to the 
Server 2008 and Vista clients it discovers. For 
more information about VAMT, see the step- 
by-step guide that's bundled with the VAMT 
installation files. 

If you have to rebuild a system, you can 
use the same MAK as before—but its "num¬ 
ber of keys used" will increment by one. Simi¬ 
larly, you can't reuse the same MAK as in the 
previous build. For example, if you receive 
a system from an OEM with Server 2008 or 
Vista already installed, the system has a pre¬ 
installed MAK that you paid for as part of the 
system cost. If you rebuild the system to your 
standard build, you can't reuse the MAK; you 
must use one of your own, essentially throw¬ 
ing away the OEM's MAK. 

Design Principles 

Although using KMS and MAKs can seem 
complicated and confusing, following a few 
design principles helps make sense of it all. 
The most important principle to remember 
when building a VA2 infrastructure is to keep 
it simple. A simple configuration is easier to 
create, configure, and maintain. In addition, 
you should try to minimize the number 
of KMS hosts you use. If technically and 
politically possible, have just one set of KMS 
hosts for the entire enterprise. Also, try to 
maximize the number clients that use KMS 
(and thereby limit the number of clients that 
use MAKs). Finally, minimize the number of 
VAMT proxy configurations. To follow these 
principles, it's helpful to divide your Windows 
systems into the following categories: the 
production network, secure networks with 
firewall access to the production network, 
isolated networks with litde or no access to 
external networks, and disconnected clients. 

Production network. This is your primary 
company intranet. Inventory the Windows 
environment's AD forests and domains on 
the production network, categorizing them 
as follows: 

• Primary corporate forest(s) 

• Secondary forests that trust one or more of 
your primary forests 

• Untrusted forests (e.g., development, 
manufacturing) 

• Workgroups 


Secure networks. For secure networks 
with firewall access to the production net¬ 
work, assume no Internet access. Again, per¬ 
form the Windows environment inventory; a 
secure network probably won't have as many 
categories as a production network. 

Isolated networks. For isolated networks 
with litde or no access to external networks, 
categorize the network as having fewer than 
25 clients, or more than 25 clients. 

Disconnected clients. Disconnected cli¬ 
ents have no email access or any applications 
that require regular corporate network con¬ 
nections (e.g., a sales team's demo notebook 
computers). 

Recommendations 

I recommend that you use KMS with DNS 
auto-discovery for your corporate forest(s) 
and secondary trusted forests, because this 
configuration is the easiest to implement. 
Register KMS into all the other domains in 
your forest and trusted forests so that clients 
can use DNS to find the service. Assuming the 
majority of your clients are in these forests, 
this design lets clients immediately activate 
via KMS. This configuration also assumes 
your company has a centralized IT model 
with a limited number of untrusted forests, 
which is similar to Microsoft's environment— 
Microsoft has very few if any untrusted forests 
on their production networks. If you do have 
untrusted forests (e.g., development or test) 
on your production network, those adminis¬ 
trators must manually register the KMS host's 
A records and SRV records for auto-discovery 
to work. The KMS host probably won't have 
rights to update DNS in an untrusted forest. 
Although adding records manually is simple, 
you must then manually update the records 
with the domain and forest configuration. 

Workgroup clients on the production 
network should use KMS through auto-dis- 
covery, but its simplicity is a matter of which 
DNS servers the workgroup clients are using. 
If they use the DNS service of the KMS host's 
forest, they can easily locate KMS. 

For secure networks with some access 
to the production network, use a layered 
approach. First, configure the firewall to 
allow TCP port 1688 so secure network 
clients can contact the KMS host. Then, if 
you use a name rather than an IP address 
(as recommended), the host must be able 
to resolve the name through DNS. Whether 
you use auto-discovery or direct connec- 
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tion for KMS depends on the network's 
DNS configuration; if the network has its 
own DNS, the network administrator must 
manually register the KMS host's A records 
and SRV records. Having a consistent DNS 
infrastructure throughout your company is 
important to avoid inconsistency errors and 
duplication of effort. Similarly, KMS port 
1688 should never be exposed outside the 
company; access to a KMS host is the same 
as handing out free VLKs. 

Secure networks without external access 
present a more difficult configuration. If the 
network has fewer than 25 clients, you must 
use MAKs and activate the clients via the 
VAMT utility. A problem with this approach 
is that you must, for example, allow notebook 
computers that have been on the external 
network onto the secure network. If you have 
more than 25 clients, you can use KMS and 
activate it over the phone. This approach has 
its own shortcomings, though, because hand¬ 
ing out the KMS key to anyone other than a 
few trusted administrators isn't a secure prac¬ 
tice. A variation on the secure network config¬ 
uration is a secure network in which systems 
are rebuilt constantly (e.g., a client test lab). In 
such a situation, you might consider simply 
never activating the systems if they'll exist for 
fewer than 90 days, because you can use the 
slmgr.vbs script's rearm option (i.e., SLMGR 
.VBS /REARM) to reset the product activation 
timer a maximum of three times. 

If your company uses a standardized 
build, a simple solution is to create two 
DNS Canonical Name (CNAME) records 
with a host name such as kms.yourcompany 
.com. Have these CNAME records each 
refer to a different KMS host, to create a 
basic round-robin configuration in which 
either of the hosts is randomly chosen. 
Configure your client build for direct 
connection, with the KMS name as kms 
.yourcompany.com. All the clients will then 
use kms.yourcompany.com all the time. You 
can control which KMS hosts this CNAME 
represents, and you don't have to deal with 
auto-discovery or with registration of the 
SRV record in multiple DNS zones. 

Follow the Basics 

VA can be confusing and complicated, but 
you'll need to use it if you ever plan to deploy 
Server 2008 or Vista. Although VA2 is far more 
complex than I can discuss in one article, fol¬ 
lowing my basic design recommendations 
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will let you implement it with a minimum 
of trouble. To become a VA2 expert, go to 
Microsoft's VA2 Product Activation page 
(www.microsoft.com/licensing/resources/ 
vol/default.mspx) and download the VA2 

planning guide. 
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L ast month, in “Best Practices for Managing User Data and Settings, Part 1" (InstantDoc I D 97841) , 
I began a discussion about the pieces you need to put in place to effectively manage user data 
and settings (UDS). The goal was to create a UDS-management framework—a combination of 
technology, people, and processes—to meet specific security, mobility, availability, and resiliency busi¬ 
ness requirements. In that article, I covered the server-side components of the framework. This month, 
I address the client-side components. 

The goal this time is to unify UDS management for both Windows Vista and Windows XP users— 
something that isn't possible without some of the tips you'll find herein, such as registry-based folder 
redirection. Specifically, we need to address four types, or classes, of UDS that I call “normal data," “normal 
settings," “locally accessed data," and “unwanted data." Unfortunately, as you'll see, Windows provides 
direct support for managing only the first two types of data, which is why so many organizations struggle 
to put all the moving parts in place—some parts are missing! 

Redirect User Data Stores 

The first class of data I'll address is “normal data" that can reside in standard Windows data stores such 
as the Documents and Desktop folders. You can use redirected folders to manage normal data and meet 
your business requirements. 

Redirected folders are a well understood, tried-and-true technology in Windows environments. You 
can redirect selected shell folders (e.g., Documents, Desktop) to shared folders on the network, and the 
result will be completely transparent to users. You implement most folder redirection through Group 
Policy, under User Configuration, Windows Settings, Folder Redirection. You should use the Group Policy 
Management Editor (GPME) on a Vista client to edit Folder Redirection Group Policy settings so that you 
can configure settings that will apply to both Vista and XP. 

Although XP supports redirecting only four folders, Vista lets you redirect thirteen folders, as you can see 
in Figure 1, page 48.1 highly recommend redirecting Documents and Desktop, as well as any of the new fold¬ 
ers that Vista can redirect. As I discuss later, you can redirect the AppData folder, but using roaming profiles 
is generally a better management choice for AppData. Except in schools and other environments in which 
multiple users should have identical Start menus, I've never found it useful to redirect the Start menu. 

Microsoft documents the steps for configuring folder redirection in its Help files. Rather than repeat 
those steps here, let's focus on bottom-line recommendations and tips. On the folder-redirection policy's 
Target tab, you can set the following recommended policy settings. 
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• Use Basic rather than Advanced folder 
redirection. Advanced folder redirection 
lets you redirect folders to different loca¬ 
tions based on group membership. That 
capability might sound great, but there 
are other policy settings supporting a UDS 
framework that aren't similarly multi¬ 
valued. I recommend that if you need to 
redirect users to different servers, create 
separate GPOs filtered for each group. 

• For the Target folder location of each 
folder redirection, choose the Redirect to 
the following location setting and enter 
the path \\namespace\% username%\ 
foldername, where namespace is the 
DFS namespace for UDS, and folder- 
name is the name of the redirected 
folder—for example, \\contoso.com\ 
users\%usemame%\Documents. (We cre¬ 
ated the DFS namespace in Part 1.) 

On the Settings tab, you should change 
almost all the defaults. 

• Clear the Grant the user exclusive rights to 
Documents check box. If this check box 
is selected, only the user has access to his 
or her data stores. As I'll discuss later, you 
should configure the root folder above 
all user folders with permissions that 
reflect your corporate information secu¬ 
rity policy. Those permissions should be 
inherited by individual user folders. 

• Clear the Move the contents of Documents 
to the new location check box. If this 
check box is selected, a user's data moves 
automatically to the target location after 
you introduce the policy. The data move 
happens at the first logon and might take 
a significant amount of time for large fold¬ 
ers. You should plan, control, and manage 
the migration of user data to the network 
folders; don't let it happen automatically. 

• Select the Also apply redirection to Win¬ 
dows 2000, Windows 2000 Server, Windows 
XP, and Windows Server2003 operating 
systems check box. Doing so will ensure 
that the folder-redirection policies apply to 
all Windows clients. This check box is avail¬ 
able only for folders that XP can redirect. 

Redirect XP Favorites 
and Media Folders 

Although Vista lets you use folder-redirection 
policies to redirect all user data folders, XP 
won't let you use these policies to redirect 
folders such as Favorites, My Music, and My 
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Videos. You can, however, use registry-based 
redirection to redirect these XP folders. In 
the XP registry, the HI<EY_CURRENT_USER\ 
Software\Microsoft\Windows\CurrentVer 
sion\Explorer\User Shell Folders key con¬ 
tains values for each of these folders. You can 
change the data of these values to redirect the 
folders to network locations. The resulting 
redirection is identical to folder redirection 
implemented through Group Policy. 

In fact, I'll make it easy for you. How about 
a Group Policy administrative template that 
manages registry-based redirection of these 
folders? You can download the Registry- 
Redirection, adm file from www.windowsit 
pro.com, InstantDoc ID 98004. Load the 
file into a GPO that's scoped to apply to XP 
users. I recommend using registry-based 
redirection for Favorites, My Music, My 
Pictures, and My Videos on XP, even though 
you can use folder-redirection policies to 
redirect XP's My Pictures. For Vista clients, 
use standard folder-redirection policies. 

When you redirect XP media folders, 
applications such as Apple iTunes and Win¬ 
dows Media Player (WMP) will automatically 
use the redirected folder. But what about users 
who are accustomed to opening My Docu¬ 
ments and double-clicking a folder to access 
media? To accommodate those users, I rec¬ 
ommend that after you migrate the contents 
of those folders to the network, you delete the 
actual subfolders in My Documents. Then, 
create shortcuts called My Music, My Pictures, 
and My Videos that point to the new locations. 
Those shortcuts will provide XP users with the 
visual links they use to browse to media. Of 
course, you might also choose not to redirect 
one or more of these folders based on your 
need to manage users' media files. 

With folder-redirection policies manag¬ 
ing all user data stores for Vista users, and 
a combination of folder-redirection policies 
and registry-based redirection for XP users, 
you can unify the experience of users who 
roam between computers running different 
OSs. Regardless of where the user logs on, he 
or she will have access to all data stores. 

Roaming Profiles Manage 
Ntuser.dat and AppData 

Now that you've redirected all user data stores 
and Favorites, you're left with the two remain¬ 
ing stores of user settings: the user's registry 
hive and the AppData folder—%userprofile%\ 
Application Data (in XP) and %userprofile%\ 
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Figure 1: 

Vista lets you redirect 13 
folders 


AppData\Roaming (in Vista). These stores, 
which I refer to as "normal settings," are best 
managed with roaming profiles. 

Roaming profiles got a bad rap in the days 
of Windows NT 4.0. Even in the 21st century, 
many organizations have had less-than-ideal 
experiences with roaming profiles, citing the 
size and synchronization of profiles as partic¬ 
ularly problematic. However, properly imple¬ 
mented roaming profiles work very well. 

Profile synchronization is quite efficient. 
At logon and logoff, Windows compares the 
server copy of the profile with the locally 
cached copy and synchronizes only files that 
have changed. However, if your Documents 
folder has thousands of files, scanning those 
files to identify what has changed can take 
a long time, creating a perception of slow 
logon and logoff processes. Additionally, the 
Desktop or Documents folders might have 
one or more large files. For example, PST files 
can be huge. Each time Microsoft Outlook 
touches a PST file, it changes that file's time- 
stamp so that, at logoff, Windows considers it 
a changed file even when the contents of the 
PST file haven't changed. At each logoff, then, 
your PST files get copied to the profile on the 
server. Therefore, in most environments, it 
isn't appropriate to allow users' desktops and 
Documents folders to roam. 

These two examples illustrate the prob¬ 
lem of enabling roaming profiles without 
careful thought and design. It's important to 
exclude certain folders from roaming. Redi¬ 
rected folders are automatically excluded 
from roaming, so once you redirect the 
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S ince the beginning of the widespread 

adoption of computer technology in business 
there has been a common theme. Hardware 
and software technologies continually advanced, 
leapfrogging each other as new technologies were 
developed and deployed. This meant that IT was 
dealing constantly with one or two common issues; 
the first, and most annoying, was that software 
applications required the absolute newest, fastest, 
and most capable computers, and often were only 
marginally happy on that hardware; always wanting 
a little more power and capability than the current 
state-of-the-art hardware was able to deliver. The 
second was the reverse; hardware capabilities 
outstripped software requirements and IT felt that 
they were paying more money than they needed 
to for capabilities that they couldn’t make use of in 
their server purchases. 

In 2008 technology professionals find themselves 
at an interesting juncture; hardware and software 
technologies coming together to deliver a 
complimentary set of capabilities that allow for 
the deployment of incredibly powerful, mission- 
critical, line-of-business applications that are 
scalable, cost-effective, and can fully and efficiently 
utilize the power and capabilities of both hardware 
and software. 

User Needs Drive Server Market 

Let’s look at the major user needs that are driving 
the server market in 2008; server consolidation, 
application consolidation, database-driven 
solutions, and business intelligence. These market 
forces all require the same underlying support; a 
powerful server operating system that can take 
full advantage of current and future hardware 
technologies, and, of course, hardware that can 
deliver on the promise of the operating system. 

That operating system is arriving in the form of 
Windows Server 2008. With this next generation of 
the Windows Server system, IT is getting the answer 
to many of questions they have been posing over 


the last few years. Microsoft has continued to build 
on the ease-of-use delivered by the Windows Server 
platform, by adding features such as the new Server 
Manager console, which significantly simplifies the 
tasks involved in server setup and configuration 
while providing a central location for ongoing 
server management. And a new feature, Windows 
PowerShell, delivers a command-line control 
interface that allows an administrator to build 
command-line driven scripts to automate common 
and repetitive administrative tasks. Additional 
wizards have been added to simplify complex 
tasks such as installing clusters and deploying the 
operating system in network environments. While 
ease-of-use continues to improve, the operating 
system is also more secure and reliable than in 
previous versions. 

Security is always an underlying concern for 
system administrators and with Windows Server 
2008 they are getting an operating system that has 
been hardened against common security problems 
and system failures. The addition of technologies 
like Network Access Protection (NAP) means that 
administrators are able to lock down access to their 
servers and take a major step to ensure that only 
authorized users gain access to data on protected 
servers. While not a specific security solution, the 
Windows Server 2008 Server Core installation 
means that it is possible to deploy specific purpose 
servers that don’t get a GUI or many of the points 
of potential attack that need to be secured. 

Bring on Hyper-V 

But if we were going to pick one feature of 
Windows Server 2008 that will have the greatest 
impact on IT, it has to be Windows Server Hyper-V. 
Hyper V is a hypervisor-based virtualization 
technology. With the ability to completely virtualize 
server hardware, Hyper-V becomes the enabling 
software technology for server consolidation, 
application consolidation, server scalability, and 
application availability, giving an administrator the 
ability to deliver virtual SMP servers to applications 
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and operating systems as necessary. Hyper-V is not 
limited to virtualizing Windows Server; Linux and 
other operating systems running on x86 (both 32 
and x64-bit) architectures can also be supported on 
the same hardware running Windows Server 2008 
Hyper-V as the virtualization engine. And keep in 
mind that virtualization is not restricted to running 
high-performance, cutting-edge applications. Server 
consolidation often means trying to keep older server 
technologies and in-house applications running as 
well. So a virtualized server, running in a partition on 
a current, state-of-the-art technology machine, may 
be running a server operating system and application 
that is seven or eight years old. 

This powerful software virtualization technology 
needs hardware that is equal to the task to really 
deliver optimal solutions to the IT user. This is where 
Intel’s processor technology steps up to the plate with 
the latest generation of multi-core server processors 
and Intel Virtualization Technology (Intel VT). 

Processors that include Intel VT (and the operating 
systems software that supports it) can take advantage 
of a set of processor hardware enhancements that 
allow the offloading of workloads to the system 
hardware that would otherwise be handled solely 
in software, improving performance, in some 
cases, to near-native performance levels. With the 
right software, Intel VT is also able to improve the 
reliability of virtualization, making for more reliable 
server consolidation solutions. 

Multi-Core Technologies 

Multi-core technologies also come to the fore with 
the new server operating system. While Windows 
Server has supported SMP systems since its 
introduction, applications that were able to take full 
advantage of SMP have been fairly rare and limited 
in scope. The introduction of multi-core processors 
exacerbated the problem from the point of view of 
n^jSthey were able to get significantly more powerful 
systemsiBl lower relative costs, but there were few 
server applicatipns that could take full advantage 
of the processor power being delivered. This is 
another area where virtualization really becomes a 


cost-effective solution; the capabilities built into the 
processors in the Intel-based servers already being 
purchased can now be better utilized by deploying 
Windows Server 2008 Hyper-V. 

The Quad-Core Intel® Xeon® processor 
7300 series, based on the Intel® Core™ 
microarchitecture, offers leading scalable 
performance and best-in-class virtualization 
for server consolidation. Tests have shown an 
increase of more than double the performance in 
virtualization and almost triple the performance 
benefit per watt of consumed power, over previous 
generations. The top of the line Quad-Core Intel 
Xeon 7300 series processors provide faster high¬ 
speed interconnects, support for larger system 
memory implementations and support for up to 
32 sockets—which means 128 CPU cores using 
high-performance quad-core processors. 

These advances mean that it is possible for 
OEMs to build server systems that can be used to 
virtualize dozens, if not hundreds of physical servers 
into a single platform, in many cases with no 
apparent performance hit to the end-users of the 
services provided by those virtualized servers. And 
it also opens the way for vendors to build next- 
generation applications that take full advantage of 
the servers and operating systems that are becoming 
available today. 

Choice of Hardware Vendor Critical 

But with server and application consolidation 
with Windows Server 2008 and current Intel VT 
(enabled?)multi-core processors it means that the 
choice of hardware vendor will become progressively 
more critical. As IT builds bigger, more consolidated 
systems the choice of OEM will become the driving 
factor in the selection of server hardware. The 
enterprise server IT environment has truly come full 
circle. From the days of big mainframe computers 
with enterprise service contracts and responsibilities 
we have worked our way through the independent 
adoption of all sorts of computing technologies 
and now find ourselves back to the point where 
the service and support model provided by the 


server vendor has become paramount in the selection of 
enterprise servers. 

This is where the experience and history of a vendor such 
as Unisys becomes valuable to the IT implementation. 
Unisys offers enterprise-class hardware for your server 
implementation, starting with their midrange ES3000 
Enterprise Servers which offer 2- and 4-way high- 
performance mid-point server solutions, and ranging up 
to their ES7000/one Enterprise server, a rack mounted 
solution that is scalable to 32 Intel multi-core Xeon 
processors and 512 GB of memory. The server can be set 
up with up to eight partitions or run as a single 32-way 
computer, if your operating system choice supports it. It 
can be deployed as a single-server solution that can grow to 
meet the enterprise computing needs of your organization, 
adding capabilities as you consolidate more of your 
standalone servers and applications to this single server. 

Many mission-critical solutions can benefit from 
architectures that incorporate scalable servers and other 
components designed for high efficiency and availability. 
When these best-of-breed components are combined 
using accepted methodologies, such as centralization and 
consolidation, and technologies, such as virtualization, 
superior results can be achieved. In enterprise Exchange 
environments, for instance, utilization and reliability is 
increased; footprint, power and cooling, and management 
expense is reduced; and total cost of ownership is 
optimized compared to more traditional federated 
topologies. Unisys also brings significant experience to 
the IT world in the process of building mixed workload 
consolidation solutions, as well as dedicated consolidation 
solutions for enterprise-scale server applications such as 
SQL Server. While the task of building a consolidated 
server environment can appear to be a straightforward 
one, if the enterprise is doing more than just consolidating 
file and print services, there are many issues that need to 
be addressed before and during the consolidation process 
that are far from clear. Attempting such a project using 
the trial and error method is unlikely to be cost-effective 
and would show significant benefits, both in costs and 
progress, from making use of the skills and expertise of 


an organization that has specialized in these types of 
migration. 

Unisys server hardware ships with the Unisys Server 
management technology, which is an autonomic server 
monitoring tool designed to keep the server running at 
its peak health and performance. This tool does system 
monitoring, self-healing, and security and it improves 
high-availability and reliability. The tool can also do asset 
management and link to Unisys and third-party systems 
and operations management tools. 

With Unisys solutions, technology, and deep mission- 
critical expertise, IT organizations can reduce the 
complexity of their IT infrastructure and deployments 
both by consolidating servers, services, and applications 
into smaller numbers of servers and by utilizing the 
high-availability, high-reliability service and support tools 
available to the user. A look at the software licensing 
models that are evolving in the marketplace, starting 
with Windows Server 2008, will show IT managers that 
forward-looking vendors are encouraging the use of 
large-scale virtualized environments as the direction that 
future environments should pursue. 

With the release ofWindows Server 2008 and current 
generation processor and server hardware, IT pros face a 
brand new set of challenges to their day-to-day jobs. The 
drive for IT will strongly focus on how to get jobs done 
more efficiently, how these new technologies can best be 
utilized, what vendors should be partnered with, and what 
direction the computing environment will be taking. 

This next generation of server and operating system 
implementations offers an IT department the chance 
to make revolutionary leaps in the capabilities of the 
services they offer to their business, rather than the simple 
evolutionary changes that they have become accustomed to. 

David ChernicofF is a Senior Contributing Editor 
for Windows IT Pro magazine. He has been writing 
computer-related features and product reviews for more 
than 15 years and is coauthor of Microsoft Windows XP 
Power Toolkit (Microsoft Press). 
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http://unisys.com/products/enterprise_servers/index.htm 
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Microsoft Windows Server 2008 Hyper-V 

http://www.microsoft.com/windowsserver2008/virtualization/ 

default.mspx 
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http://www.intel.com/technology/platform-technology/ 

virtualization/index.htm?iid=technology_ 
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Intel Multi-Core Technologies 

http://www.intel.com/multi-core/index.htm7iidHech_ 
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Unisys Embraces Virtualization Technology 

In the following interview\ Mark Feverston, VP, Microsoft Solutions; and Jim Boak, VP, Microsoft 
Strategic Alliance, talk about how Unisys solutions will incorporate Windows Server 2008. 


Qb Mark, Unisys has long been known as a 

leader in the Windows enterprise computing 
space. How do you see that Windows Server 
2008 will affect the position of Unisys in the 
marketplace? 

Mark: It will enhance it! We have historically relied 
on Windows Server to provide a scalable operating 
system platform for our mission-critical, enterprise- 
class deployments. In fact, our joint engineering 
relationship with Microsoft dates back to the late 
90s when we were one of the earliest supporters and 
champions ofWindows Server Datacenter Edition. 
With the introduction ofWindows Server 2008, we 
anticipate companies generating new, larger workloads, 
which is the “sweet spot” for our expertise and our 
technologies. 

Q b What are some of these new workloads you 
are referring to? 

Mark: A number of our enterprise customers have 
been asking for our assistance in addressing certain 
infrastructure optimization needs. In response, we 
have developed a number of solutions that apply our 
increasing family of server technology with Windows 
Server 2008 in a number of novel ways. We will have 
some exciting news around this shortly. But what I can 
share with you today is that we will be leveraging our 
extensive infrastructure optimization experience and 
enterprise server expertise to provide a new, robust 
and cost-effective solution based on Windows Server 
virtualization technology for large-scale desktop 
environments. We will also be announcing a solution 
for consolidating, securing and managing Microsoft 
Exchange Server 2007 environments. So stay tuned 
for more details over the next few months! 

Qb That sounds great. But how about Unisys’ 

current value proposition as it relates to server 
and datacenter consolidation? 

Mark: A large proportion of our ES7000 family of 
servers has been deployed in server consolidation roles. 


The reason for this is easy to understand: Unisys 
mainframe design provides a balanced architecture 
and economies-of-scale supporting high-volume 
virtualization of infrastructure resources while 
reducing environmental and operating costs. In fact, 
Microsoft continues to be a major consumer of Unisys 
server technology in both its production as well as 
development environments. 

Q: Jim, as Mark mentioned earlier, Unisys 
has long had a strategic relationship with 
Microsoft. But why work with Microsoft in 
the first place? What is the value of your 
alliance? 

Jim: Through the Unisys and Microsoft Solutions 
Alliance, our two companies have established a 
strategic relationship that enables us to jointly drive 
high-value opportunities for our customers. By 
combining the deep industry expertise of Unisys 
with the interoperability and familiarity of Microsoft 
technologies, we are uniquely positioned to offer our 
enterprise customers the solutions and services that 
they need to build efficient systems, empower their 
people, and capitalize on new business opportunities. 
Our customers have come to expect a seamless 
experience when they purchase solutions that leverage 
both Unisys and Microsoft resources. Through our 
close working relationship, we deliver the exceptional 
customer experience that our clients demand. For 
more than 30 years, Unisys has been delivering 
enterprise-class, mission-critical solutions to maximize 
the importance of people and technology while 
driving business success for our clients in challenging 
industries. Unisys has thousands of successful enterprise 
customers on the Microsoft platform worldwide. Our 
alliance with Microsoft delivers significant benefits 
to our joint customers by providing highly secure, 
scalable Unisys solutions on the Microsoft platform. 

We work closely with Microsoft through joint 
engineering development and sales engagements, and 
our collaborative efforts are supported by dedicated 
resources in both companies. 



Intel Brings Better Performance to 
Windows Server 2008 


In the following interview\ Mark Swearingen, Director of the Microsoft Program Office, talks about how Intel has 
worked closely with Microsoft to provide a powerful hardware foundation for Windows Server 2008. 

QZ Intel has long been known as a leader in the Windows enterprise computing space. How do you see 
that Windows Server 2008 will affect Intel’s position in the marketplace? 

Mark: Intel put significant effort into making sure that our server and platforms deliver break-through 
performance, reliability and efficiency while running Windows Server 2008. Microsoft and outside analysts predict 
that this will be one of the fastest operating system ramps in Microsoft’s history. I’m confident that servers based 
on Intel’s Xeon and Itanium processors will provide the hardware foundation for this technology transition point. 


Q: What is Intel’s current value proposition as it relates to server and datacenter consolidation? 
Anything you’d like to add on virtualization technology? 

Mark: All of the work that we’ve done together on Power Management, Virtualization, Security and RAS 
(Reliability, Availability and Serviceability) translate into high performance, highly efficient servers for the 
datacenter. And of course, all of Intel’s Xeon™ processors and server platforms have the features necessary to run 
Microsoft’s Hyper-V - Intel64,VT and XD bit. We’ve worked closely with Microsoft to make sure that each of 
these features provides optimum performance on Windows Server 2008. 


Q: Intel has long had a strategic relationship with Microsoft. But why work with Microsoft in the first 
place? What is the value of your alliance? 

Mark: Intel works closely with Microsoft so that we can deliver what our joint customers demand. Our work 
with Microsoft on Windows Server 2008 started more than five years ago and these activities increased in 
scope and complexity through the long development cycle. This broad effort included influencing and aligning 
roadmaps between core operating system areas and architectures, identifying system requirements and features, 
prototyping and co-developing support for key features and validation and optimization of these features for Intel 
platforms. All of this work translates into better performance and lower TCO on Intel server platforms running 
Windows server 2008. 
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Documents, Desktop, and other folders, the 
number of files in your roaming profile—and 
particularly the number of large files—will be 
significantly reduced. 

You can use Group Policy to exclude 
additional folders from roaming. The Group 
Policy setting you require is Exclude directo¬ 
ries in roaming profiles, located under User 
Configuration, Administrative Templates, 
System, User Profiles. Because this setting 
is user-based, you could have different fold¬ 
ers roaming based on a user's role. You can 
specify folder names relative to the user 
profile, such as AppData\Roaming\Micro- 
soft \Windows\Cookies. Figure 2 shows an 
example that excludes the Cookies folder on 
both Vista and XP. 

A well-designed UDS framework will 
use roaming profiles as the mechanism for 
managing a user's registry file—the ntuser 
.dat file in the root of the profiles. This file 
contains a number of critical settings and 
customizations that affect a user's Windows 
experience, and it's absolutely worth manag¬ 
ing to achieve your mobility, availability, and 
resiliency requirements. The only practical 
way to meet the requirements for the registry 
file is a roaming profile—even if the only item 
in the roaming profile is ntuser.dat. 

I also recommend that you allow the 
AppData folder—specifically, the \AppData\ 
Roaming folder in Vista and the \Applica- 
tion Data folder in XP—to roam. It's possible 
to redirect AppData, but in my experience, 
many poorly coded applications won't func¬ 
tion correctly if AppData is redirected. Some 
applications also have trouble if, on a laptop, 
AppData is cached using offline files and 
network connectivity causes the computer to 
transition between online and offline modes. 
I think your goal should be to redirect App¬ 
Data eventually but not until you have time 
to thoroughly test all applications. So, the 
practical recommendation is to use roaming 
profiles to manage AppData until you can 
confidently redirect it. 

Vista appends a .V2 extension to the 
folder that hosts the user's roaming profile. 
If you configure a user's profile path as \\ 
ftaraespace\%username%\profile, the user's 
XP profile will be in the Profile folder, and 
the user's Vista profile will be in the Profile. 
V2 folder—automatically. Due to significant 
differences in registry and AppData structure, 
there's no way to unify those two settings 
stores for Vista and XP users. They will be 
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separate. That's another good reason for 
ensuring that roaming profiles manage only 
those two stores—any other stores in the 
roaming profile will be duplicated and sepa¬ 
rate for a user's XP and Vista profile. 

When a user's roaming profile contains 
only the registry file and the AppData folder, 
the profile should be very small. On my heav¬ 
ily overloaded laptop, my roaming profile is 
only 40MB. Profile synchronization has less 
data to scan and copies only changed files, 
so the process is fast, efficient, and reliable. 

Manage the Location of 
Unwanted Data 

Most IT organizations aren't expected to 
manage users' personal music collections. 
I'm using music as an example of what I call 
"unwanted data"—a class of data that isn't 
subject to your business's security, mobil¬ 
ity, availability, and resiliency requirements. 
You might identify other types of data as 
unwanted: users' personal files, pictures, 
or email archives from non-business email 
accounts. This is one class of data for which 
Microsoft doesn't a provide straightforward 
management solution. Vista makes it easier 
to manage unwanted data classes if they par¬ 
allel specific media types: The Vista Pictures, 
Music, and Videos folders are already at the 
root of the user profile. For other classes of 
unwanted data (e.g., personal files), you'll still 
need this workaround. 

To ensure that unwanted data isn't stored 
on network servers, you must first move 
the data so that it's not within the scope of 
a redirected folder. For example, XP's My 
Music folder is a subfolder of My Documents. 
Because My Documents will be redirected, 
you must relocate the My Music folder. Cre¬ 
ate a first-level folder underneath the root of 
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the user profile—%userprofile%\Music, for 
example—and move the data to that folder. 

Next, determine how to redirect applica¬ 
tions and the user to the new location. In 
the case of a media folder such as Music, 
you can use registry-based redirection to 
redirect applications to the new location. 

You can even use the RegistryRedirection. 
adm Group Policy administrative template 
to implement the registry-based redirection. 

Just point the My Music folder to your custom 
folder (%userprofile%\Music). You must also 
ensure that users can find the custom folder 
for the unwanted data. Shortcuts placed at 
the data folder's old location do the trick. 

Repeat this process for each class of 
unwanted data: Create a folder within the 
user profile, redirect applications as neces¬ 
sary, and provide users a way to navigate 
to the folder. Of course, you can combine 
various types of unwanted data within one 
user-profile folder. I recommend creating a 
Personal Files folder (%userprofile%\Personal 
Files) to host unwanted data that isn't directly 
associated with pictures, music, or videos. 

After you move all unwanted data out of 
redirected folders, the final step to managing 
unwanted data is to exclude the unwanted 
data folders from roaming profiles. Use the 
aforementioned Group Policy setting to 
exclude each unwanted data folder. 

Manage Data That Must 
Be Accessed Locally 

Sometimes, it's possible to store data on the 
network, but you find that performance over 
the network while accessing that data is unac¬ 
ceptable. Consider a company that creates 
videos for Web streaming. Editing video files 
over the network generally isn't feasible. Most 
video-editing software performs adequately 
only when video files are accessed from the 
local disk subsystem. Our sample company 
needs to manage these video files accord¬ 
ing to the same requirements I mentioned 
earlier, including resiliency, availability, and 
perhaps even mobility. 

These files need to reside on the network, 
but users need to access them from a local 
disk. I refer to such data as "locally accessed 
data"—another class of data for which Micro¬ 
soft provides no perfect management solu¬ 
tion. There are three approaches you can use 
to address locally accessed data. Each has its 
pros and cons. 

First, you can move such data out of 
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redirected folders and into folders in the user 
profile. Users access files in the user profile 
locally. They'll be synchronized to the net¬ 
work at logoff as part of the roaming-profile 
synchronization. However, if locally accessed 
data files are large, synchronization can be 
extremely time-consuming. 

Second, you can keep the data in redi¬ 
rected folders, use offline files to take the data 
offline, and leverage a new Group Policy set¬ 
ting available to Vista clients: Network Direc¬ 
tories To Sync At Logon/Logoff Time Only. 
The policy is located in User Configuration, 
Administrative Templates, System, User Pro¬ 
files—a non-intuitive location for an offline 
files setting. You use the network paths to the 
locally accessed data to configure the policy— 
for example, \\namespace\% username%\ 
Documents\StreamingVideoProjects. Vista 
clients will access files in that location from 
the local cache, providing all the perfor¬ 
mance benefits of local access. Unfortu¬ 
nately, as with roaming profiles, the data will 
synchronize at logoff and synchronization 
time might be unacceptable. 

The third approach is to move the data 
out of redirected folders and into the user 
profile—but to exclude the folders from roam¬ 
ing. Then, implement another mechanism 
that synchronizes or backs up the data in the 
folders to appropriate network locations on a 
configurable schedule. Our video-streaming 
company, for example, could create a folder 
for each user (%userprofile%\Streaming- 
VideoProjects) and exclude it from users' 
roaming profiles, then use a scheduled task 
to back the folder up to the network every few 
days. The Windows Administration Resource 
Kit has a script that does just that—and the 
script works on all current versions of Win¬ 
dows. You can deploy the script as a logon or 
startup script or as a scheduled task, and it 
uses Robocopy to synchronize the local store 
with a network folder at a given frequency— 
once a week, for example. In Part 1,1 recom¬ 
mended a Backups folder in the physical and 
DFS namespace; that folder is specifically 
designed to store a network backup of files in 
this "locally accessed" class of data. 

UDS to Go 

After you've moved UDS to network servers, 
keep in mind that laptop users will need 
access to data and settings when they're 
disconnected from the network. Roaming 
profiles will ensure that a user's registry file 
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and AppData folder are available locally. For 
all the data in the redirected folders, you can 
use offline files to cache the network data 
stores for offline access. In fact, Vista and XP 
clients will automatically cache redirected 
folders. There are many caveats and nuances 
that affect the design and implementation of 
offline files. I'll go over the most important. 

• Vista and XP support the encryption of the 
offline files cache, adding a layer of secu¬ 
rity to user data on the road. See "Using 
EFS with Offline Files" (InstantDoc ID 
4 7624) fo r more information. 

• Consider disabling the automatic caching 
of redirected folders on desktop systems. 
You probably don't want the conference 
room computer to cache the redirected 
folders of every user who logs on to it. 

• By default, XP systems will scan all files 
in offline folders to determine what has 
changed and what needs to be synchro¬ 
nized at logoff. If you have thousands 
of files cached, this scanning can take 
forever. XP can use a different algorithm 
to track files as they're changed, making 
logoff synchronization significantly more 
efficient. Use Group Policy to disable the 
Synchronize All Offline Files Before Log¬ 
ging Off policy setting, which you'll find 
in Administrative Templates, Network, 
Offline Files of both User Configuration 
and Computer Configuration. This option 
is equivalent to the Synchronize All Files 
Before Logging Off option on the Offline 
Files tab of the Control Panel Folder 
Options applet. This approach works well 
when you're primarily or exclusively using 
offline files to make user data (as opposed 
to shared data) available offline. 

• Consider removing the list of blocked file 
types when you're using Offline Files to 
cache user data. Check out the Microsoft 
article "Error message: 'Files of this type 
cannot be made available offline"' for 
details. (See the Web-exclusive Learning 
Path a t www.windowsitpro.com , Instant- 
Doc ID_98004.) 

• Folders for which you've used registry- 
based redirection to redirect won't be made 
automatically available offline. You can 
"push" these files offline into users' caches 
by using the Administratively Assigned 
Offline Files policy setting, which you'll find 
under User Configuration, Administrative 
Templates, Network, Offline Files. 

• Provide XP users a way to force them- 
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selves offline when connected over a 
mediocre connection. If an XP user con¬ 
nects to the corporate network over a 
VPN, Offline Files might decide that the 
connection is "good enough" and attempt 
to work from the network copies of cached 
files. It might even try to synchronize 
over the VPN. Microsoft Product Support 
Services (PSS) can provide you with Csc- 
cmd (csccmd.exe), a command-line tool 
for managing Offline Files. The tool sup¬ 
ports a /DISCONNECT switch, which can 
force a namespace offline so that users 
work from the locally cached copy. Cre¬ 
ate a batch file on the user's desktop that 
he or she can double-click to stay offline 
while connected over the VPN. Here's an 
example of the batch file: 

csccmd /DISCONNECT:\\contoso.com\ 
users\%username%\documents 
csccmd /DISCONNECT:"Wcontoso.com\ 
users\%username%\desktop" 

• The functionality and performance of 
Vista's Offline Files is so vastly improved 
over that of XP that you should have very 
few problems supporting the offline use of 
UDS for Vista users. 

Tip of the Iceberg 

A UDS management framework can be quite 
complicated, not only because of the com¬ 
plexity and idiosyncrasies of the involved 
technologies but also because you have to cre¬ 
atively address two data scenarios—unwanted 
data and locally accessed data—that Windows 
technologies don't adequately support. 

Microsoft's documentation thoroughly 
details the steps necessary to implement the 
individual technologies with which to man¬ 
age UDS. Unfortunately, very litde documen¬ 
tation exists to help you support the varied 
classes of data in your enterprise. This article 
should help you overcome and avoid com¬ 
mon implementation pitfalls, and if you still 
need help, I strongly encourage you to dive 
into Chapter 3 of the Windows Administra¬ 
tion Resource Kit for comprehensive guidance 
toward a UDS management framework. ^ 
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TestDisk 

Recently, an external USB drive that I was using for file backups and 
storage of non-critical files experienced a hard crash—you know, 
the “thunk-thunk-thunk” heads-against-platters noise that makes 
any systems administrator's skin crawl. I knew my chances for a 
full recovery were rather slim, so I started looking around for data- 
recovery utilities. 

I came across TestDisk, an open-source application licensed 
under the GNU Public License. Available from Christophe Grenier, 
TestDisk—completely free for any person or organization to use— 
can help you recover damaged partitions, make non-bootable disks 
bootable again, and repair damaged boot sectors. The application 
runs under DOS, Windows, Linux, the BSD variants, and MacOS, to 
name just a few OSs. File-system support includes every common 
type (e.g., FAT, NTFS, EXT2/3), as well as a bunch you've probably 
never heard of. I have no doubt that TestDisk can repair or recover 


I 'm addicted to digging up quality tools and utilities that are free—it's a treasure- 
hunter's challenge! Sure, anyone can find costly utilities that do a good job of making 
a certain task easier. The trick is to find the free ones that perform just as well as their 
commercial counterparts. Since last September's publication 
of “8 More Absolutely Cool, Totally Free Utilities” (InstantDoc 
I D 96628) , I've been having a lot of fun unearthing more and 
more free utilities for my toolbox, and I'm dying to share them with 
you. So, check these out and start downloading! (Check out the Learn¬ 
ing Path, page 54, for download details.) 


BY DOUGLAS TOOMBS 
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data from a broad range of malfunctioning 
systems. Figure 1 shows its main interface. 

Unfortunately, however, TestDisk didn't 
solve my problem. The “thunk-thunk-thunk" 
sound was a dead giveaway that I was facing 
a physical/mechanical disk problem. No 
software can fix physical problems, and the 
TestDisk documentation makes that clear. 
For mechanical problems, you'd need to 
enlist the services of a professional data- 
recovery service that can physically open the 
drive and try to read the platters back. 

I had hoped I'd get lucky, to no avail. Still, 
the experience gained me another valuable 
tool for my toolbox—one that I'll keep around 
should disaster strike. 

GParted LiveCD 

Have you ever painted yourself into a corner 
by partitioning a physical disk drive into mul¬ 
tiple logical partitions, only to realize months 
later that you didn't anticipate your space 
needs correctly? In the past, I've paid for 
commercial partition-management utilities 
such as Norton's PartitionMagic to get myself 


out of such situations. Invariably, however, by 
the time I need to use a partition-manage¬ 
ment utility a second time, I'm using a newer 
file system or a new type of disk that my 
partition manager doesn't support. Recently, 
for example, I had to move an ext3 partition 
around on one of my systems' hard disks, but 
my outdated partition-management utility 
didn't support ext3. 

Having paid multiple times for similar fea¬ 
ture sets, I was recently happy to find GParted 
LiveCD when I needed to resize some parti¬ 
tions on my laptop. GParted LiveCD is a 
bootable runtime version of the Gnome Parti¬ 
tion Editor (GParted). By booting up a small, 
stripped-down instance of Linux, GParted 
LiveCD is the only tool you'll ever need for 
managing partitions on your systems—in¬ 
cluding resizing partitions, moving partitions, 
and even mirroring partitions. 

GParted LiveCD is available as a down¬ 
loadable ISO image. After the download, you 
can burn it straight to a bootable CD-ROM 
(see CDBurnerXP 4 later) and put it in the 
machine whose partitions need editing. Of 
course, it goes without 
saying that you should 
always perform a full 
system backup before 
resizing a partition on a 
production system. 

JkDefrag 

How about my absolute 
favorite disk-based util¬ 
ity? JkDefrag is a disk- 
defragmentation and 
-optimization utility for 
all modern versions of 
Windows. You might ask, 
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“Why should I care about a disk defrag¬ 
menter when Windows has one built in?" 
Because the Windows defragmenter is a bit 
basic, there's still a great marketplace for 
commercial third-party disk-defragmenta¬ 
tion utilities, and for that reason, I appreciate 
a utility such as JkDefrag. 

Developed by Jeroen Kessels, JkDefrag 
runs automatically, is very easy to use, and 
supports several customization features 
through command-line switches. Speaking 
of command-line switches, there are also 
GUI and screen-saver versions of JkDefrag, 
in addition to the command-line version. 

JkDefrag can handle typical internal 
hard disks, external USB drives, floppy disks, 
memory sticks—essentially anything that 
Windows interprets as a drive. It uses the 
standard defragmentation API provided by 
Microsoft, so it's as safe to use as Windows' 
built-in defragmenting utility. However, JkDe¬ 
frag doesn't simply aim to defragment your 
hard disk; the tool's available command-line 
strategies will also help you optimize that 
disk's performance. Figure 2 shows JkDefrag 
at work. 

For example, when you launch JkDefrag 
for the first time (without any command-line 
parameters), it will begin to defragment and 
optimize all the mounted writable drives 
on your system that it can find. The default 
optimization is a fast optimization, which 
should increase system performance a bit. 
For example, the beginning or center of a 
hard disk performs much better than the very 
edge of a disk; therefore, as a default strategy, 
JkDefrag will attempt to move all files to the 
center of the disk. However, it doesn't do so 
arbitrarily! JkDefrag tries to place files clos¬ 
est to the center of the disk based on three 
levels of importance: directories (the most 
often accessed files on a system) in the front, 
regular files in the middle, and SpaceHogs 
at the end. JkDefrag uses the SpaceHogs 
nomenclature to describe files that tend to 
be large but less important. Examples of 
SpaceHogs include MP3, WMV and AVI files, 
and any i386 directories you might have lying 
around. When I run JkDefrag on my systems, 
I also flag AAC and *.m4? files as SpaceHogs 
by using the -u command-line option. (I have 
a lot of purchased content from iTunes.) 

After JkDefrag finishes its first default run, 
you should have a neatly organized hard disk, 
with your most important data toward the 
center of the disk and the least important in 
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.INFRASTRUCTURE LOG 


_DAY 79: Our IT environment is rigid and inflexible. 

We can’t adapt to our changing business needs. Oh no.. 
I was afraid of this. We’re so rigid, we’re stuck in time. 

_Infrastructurus prehistoricus. I’ve read about this. 

_DAY 80: I’m taking back control with IBM SOA solutions 
Now we have the hardware, software and services 
we need to respond to change. IT strategy, planning and 
implementation are in tune with our specific business 
needs. We’re deploying and updating business processes 
faster and more efficiently. We’re evolving! 

_Good-bye, rigid past. Hello, flexible future. 


IMPACT 2008, the IBM SOA conference, is April 6-11. Learn more at: 

IBM.COM/TAKEBACKCONTROL/SOA 


WebSphere 


IBM, the IBM logo, WebSphere and Take Back Control are trademarks or registered trademarks of International Business Machines Corporation in the United States and/or other countries. 
©2008 IBM Corporation. All rights reserved. 
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Figure 3: PageDefrag’s main screen 


the back. Once you've finished your first run, 
you can schedule recurring defrags to take 
place during off hours through the Control 
Panel Schedule Tasks applet. 

After running JkDefrag for several weeks, 
I must say that my system seems a bit faster. 
Give JkDefrag a spin on your computer. You'll 
be glad you did! See the Learning Path for 
information about where to get JkDefrag's 
latest standalone executables (no installation 
required!). 

PageDefrag 

While I'm on the topic of defragmentation 
and performance, there's one file in your 
computer that's probably taking up a lot of 
space, is critical in terms of system perfor¬ 
mance, and can't be defragmented by stan¬ 
dard defragmentation utilities. That would 
be your pagefile. 

The computer I'm using to 
write this article, for example, 
has a pagefile that consumes 
about 1.5GB worth of space. 

As Windows swaps certain 
programs in and out of main 
memory, the page file is the 
storage container that receives 
the program data. I can't even 
begin to comprehend the com¬ 
plexities of keeping a file such 
as this optimized for maximum 
performance, but fortunately I 
don't have to. MarkRussinovich 
at Syslnternals has done it for 
me. 

As you might know, Sysln- 
temals was the home of some 
of the best free Windows utili¬ 
ties anywhere on the Internet. 


Recently, Mark joined Micro¬ 
soft, and therefore Microsoft 
has inherited all these great 
tools. PageDefrag is just one 
of the many Syslnternals 
utilities you can find at the 
company's Web site. Figure 
3 shows PageDefrag's main 
screen. 

When I first ran PageDe¬ 
frag, the application pre¬ 
sented a list of files that it 
would defragment (i.e., the 
pagefile, the hibernation file, 
event logs, and the registry 
hives), and I was surprised 
to see that my 1.5GB pagefile had more 
than 2,000 fragments across my hard disk! 
I instructed PageDefrag to defragment my 
pagefile during the next Windows bootup 
(the only time the pagefile isn't in use, and 
therefore the only time it can be defrag¬ 
mented) and let it start its work. You can have 
PageDefrag run once on the next reboot or 
every time your system boots. 

DrivelmageXML 

Have you ever had to restore a full desktop 
system from a failed hard disk, with only a 
recent Windows backup available to you? If 
so, you understand the hassle of such a pro¬ 
cess. First, you have to get a new hard disk, 
place it in the PC that needs to be rebuilt, and 
install a clean copy of Windows (assuming 
you remember where you put that system's 
installation media). That process can take 


Learning Path 


Find your free tools: 

CamStudio (camstudio.org) 

CDBurnerXP (cdburnerxp.se) 

Comodo Firewall Pro (www.personalfirewall. 
comodo.com) 

Drivelmage XML (www.runtime.org/dixml.htm) 
GParted LiveCD (gparted-livecd.tuxfamily.org) 
JkDefrag (www.kessels.com/JkDefrag) 
PageDefrag (www.microsoft.com/technet/sysin- 
ternals/Utilities/PageDefrag.mspx) 

TestDisk (www.cgsecurity.org/wiki/TestDisk) 


WINDOWS IT PRO RESOURCES: 

“8 Absolutely Cool, Totally Free Utilities,” 
InstantDoc ID 50122 

“8 More Absolutely Cool, Totally Free Utilities,” 
InstantDoc ID 96628 
“A Bootable Network Security Toolkit,” 
InstantDoc ID 44409 


“6 Network Protocol Analyzers,” 
InstantDoc ID 42922 
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Figure 4: The DrivelmageXML interface 
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over an hour for most systems. Then, finally, 
you can restore your full backup to the system 
and get back up and running. Wouldn't life 
be easier if you had an image of your system 
that you could just zap to a new hard disk, 
and get back up in less time? 

Disk-imaging tools such as Norton Ghost 
offer a solution to this problem: Instead of 
doing a system-level backup, such tools 
create an image of the disk itself. Then, if 
you experience a failure, you simply need 
to write that image to a new disk, and you're 
ready to go—without 
the intermediate step of 
reinstalling a base copy 
ofWindows. 

Runtime Software 
provides a free utility 
called DrivelmageXML 
for this purpose. It stores 
the images it creates as 
XML-formatted data so 
that your images aren't 
locked up in a propri¬ 
etary vendor's binary 
format. Through the 
DrivelmageXML inter¬ 
face (which Figure 4 
shows), you can also 
browse through disk- 
image files to view or 
extract individual files, 
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-INFRASTRUCTURE LOG 


_DAY 69: All we need is one specific piece of info. 

Gil almost had it, but his hand cramped. How are we 
supposed to find trusted business information when 
these massive volumes of conflicting info keep pouring in? 

_Gil just grabbed a stuffed panda. 

_DAY 71: The answer: IBM solutions for leveraging 
information. Now we can cleanse info and standardize source 
data fields for consistency and accuracy. I can create 
a single, accurate and unified record of info across our 
source systems. Everyone can make better decisions. 


_Just in time—I think we ran out of quarters. 


Information Management 


Download the Innovation and Competitive Advantage white paper: 

IBM.COM/TAKEBACKCONTROL/ACCURATE 


IBM, the IBM logo and Take Back Control-are trademarks onregistered trademarksof International Business Machines Corporation in the United States and/or other countries.- 
: (s)-2007 IBM Corporation. All rights reserved. 
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if necessary. DrivelmageXML works with all 
FAT and NTFS partitions and runs on Vista, 
Windows 2003, and XP. 

CDBumerXP 

Several years ago, I realized I was getting 
buried in original source-media CD-ROMs 
and DVDs for all the different versions of 
OSs, applications, and peripherals I regularly 
work with. Keeping track of all these discs 
was becoming tedious, so I started storing 
ISO image files of every original media CD I 
got, as soon as I received it. By archiving these 
CDs in a central location on my network, I 
knew they would always be available. If a CD 
was ever lost or destroyed, I could still turn 
to the ISO file and burn a new disc in a few 
minutes, saving me the hassle of contacting 
the vendor for a replacement disc. 


CDBurnerXP is 
the first tool I used 
for this purpose, 
and it's still the tool 
I use today. It's a 
full-featured CD- 
burning program 
that includes the 
ability to create ISO 
files from CDs and 
DVDs, and it can 
burn CDs, DVDs, 
HD DVDs, and 
Blu-ray DVDs. In 
addition to using 
CDBurnerXP as an 
ISO-reading and 
-burning utility, I 
use it as a capable audio disc burner. Figure 
5 shows the tool's UI. CDBurnerXP runs 
on Vista, Windows 2003, XP, and Windows 
2000. 

Comodo Firewall Pro 

When I ponder the notion of a "free firewall," 
I get a bit skeptical. After all, considering the 
speed at which Internet-based threats grow, 
how good could a "free" firewall application 
be? I'm always happy when my skepticism 
is proven wrong, and Comodo Firewall Pro 
does just that. 

When I first installed Comodo Firewall 
Pro, I initially thought I'd just installed a 
copy of Zone Alarm (a popular, commer¬ 
cial personal firewall application). After a 
reboot to insert the proper network-level 
modifications into my system, Comodo 
Firewall Pro instantly recognized that 
it was communicating on a network it 
hadn't seen before (i.e., my home net¬ 
work) and asked me to provide a name 
for it. Then, a few network utilities in my 
Startup folder that Comodo Firewall Pro 
didn't know about attempted to con¬ 
nect to the Internet. Comodo Firewall 
Pro immediately saw this outbound 
communication attempt and displayed 
a dialog box identifying the application 
that was trying to communicate (and 
to where) and asking whether I wanted 
to allow or deny the outward commu¬ 
nication. After I allowed these trusted 
applications the rights to communicate 
when necessary, Comodo Firewall Pro 
never bothered me about them again. 
Within five minutes of using Comodo 



Firewall Pro, I was extremely impressed by 
its thoroughness—especially considering 
the price. Figure 6 shows Comodo Firewall 
Pro's UI. 

How and why, you might ask, does 
Comodo offer such a worthwhile product for 
free? In a forum posting on the company Web 
site, the CEO expresses his intention of offer¬ 
ing Comodo Firewall Pro for free as a means 
to build corporate brand identity and raise 
customer awareness. It's a smart strategy, and 
I have a feeling Comodo Firewall Pro will be 
around for a long time. Comodo Firewall Pro 
runs on Vista and XP, both 32-bit and 64-bit 
versions. 

CamStudio 

In "8 More Absolutely Cool, Totally Free 
Utilities," you'll find a sidebar for a util¬ 
ity called Wink—a good tool for building 
screencast recordings. Screencasts are digi¬ 
tal recordings of computer-display output, 
often overlaid with audio or video. These 
types of tools are becoming increasingly 
popular as training and demonstration 
utilities. After you produce a screencast, an 
audience of thousands can watch it imme¬ 
diately. Since mentioning Wink in that 
article, I've discovered CamStudio, another 
strong contender in this space. 

CamStudio is a solid utility for recording 
screencasts, interleaving audio and video 
simultaneously, then producing final con¬ 
tent in Web-friendly Flash files for easy, 
cross-platform consumption. Having paid 
for commercial versions of such applications 
in the past, I'm quite impressed with Cam¬ 
Studio and look forward to it being a strong 
contender in this space. 

Can’t Beat the Price 

Commercial versions of all the utilities in 
this article would probably cost more than 
$500. Save that money and download these 
free and open-source counterparts, which 
perform just as well. Stay tuned for the fourth 
installment of this series, in which I'll share 
more free software gems to make your 
easier. 
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I n "PowerShell 101, Lesson 1" (February 2008, InstantDoc 
ID 97742) , I introduced you to the concept of cmdlets and 
howto run basic PowerShell commands. I also showed you 
how to use aliases and how to use PowerShelTs Get- cmd¬ 
lets to get help when creating commands. For example, you 
can use the Get-Childltem cmdlet to retrieve a list of items 
in a folder or the Get-Content cmdlet to retrieve the content of a text 
file. With cmdlets and their parameters, you can run a wide variety 
commands that display system information or carry out tasks. 

However, a cmdlet alone might not always provide the full func¬ 
tionality you require. For this reason, PowerShell lets you create pipe¬ 
lines that link cmdlets together to carry out complex operations and 
refine the system information you retrieve. In this lesson, you'll leam 
how to link cmdlets into a pipeline to create PowerShell statements. 
You'll also learn how to format and sort statement output. 

Implementing a Pipeline 

A PowerShell pipeline is a series of cmdlets that pass objects from 
one cmdlet to the next. Each cmdlet generates an object and passes it 
down the pipeline, where it is received by the next cmdlet. The receiv¬ 
ing cmdlet uses that object as input and generates its own output as 
an object. You connect cmdlets into a pipeline by using the pipe (|) 
operator. 

Pipelining in PowerShell is different from pipelining in other com¬ 
mand shell environments, such as the Windows command shell. In 
traditional environments, a command's results are returned as a single 


result set, which means that the entire result set must be generated 
before any information is passed down the pipeline. The first result is 
returned at the same time as the last result. In PowerShell, however, 
the results are streamed through the pipeline. As soon as a command 
returns a result, it passes it down the pipeline, and that result is imme¬ 
diately available to the next command in the pipeline. 

Let's look at an example that will help you understand how a 
pipeline works. If you run the cmdlet 

Get-Service 

you'll receive a list of the services installed your system, similar to 
the list in Figure 1, page 60. Notice that the cmdlet returns the status, 
name, and display name of each service. Suppose you want to retrieve 
a list of running services only. You can pipe the output from the Get- 
Service cmdlet to the Where-Object cmdlet, which filters the output 
based on the specified criteria, as shown in the statement 

Get-Service | 

Where-Object {$_.status -eq 1 running 1 > 

As you can see, you use a pipe operator to connect the two cmdlets. 
The Get-Service cmdlet generates an object that contains the service- 
related information. The object is passed down the pipeline to the 
Where-Object cmdlet. The Where-Object cmdlet receives the object 
and uses the information as input. The Where-Object cmdlet filters 
the information based on the Status property value. Notice that the 
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Where-Object cmdlet includes an expres¬ 
sion enclosed in braces ({}). If the expression 
evaluates to true, the Where-Object passes 
that object down the pipeline and filters out 
any other object. 

In this case, the Where-Object expression 
states that the Status property value must be 
equal to (specified by the -eq operator) the 
string running. Status is one of the properties 
available to the object generated by the Get- 
Service cmdlet. When an object is passed 
down the pipeline, you can access its proper¬ 
ties, as I've done in the Where-Object expres¬ 
sion. To access a property in the pipeline in 
this manner, you use the $_ built-in variable. 
This variable holds the current object within 
the pipeline each time the Where-Object 
cmdlet loops through the pipeline results. 
You can then reference the object's proper¬ 
ties, as in $_.Status. The output now looks 
similar to that in Figure 2. (You'll learn more 
about the Where-Object cmdlet, object prop¬ 
erties, and operators in later lessons.) 

Note that you'd typically enter the state¬ 
ment just given on one line in the Power- 
Shell console window. However, column 
widths in the magazine force us to print this 
statement on more than one line. Also note 
in Figure 2 the » character sequence at the 
beginning of some of the lines in the com¬ 
mand. This character sequence constitutes 
a multiline prompt. For information about 
when you'd want to enter a statement on 
multiple lines in the PowerShell console 
window and how to properly do so, see the 
sidebar "How to Handle Long PowerShell 
Statements,'' page 62. 

Now suppose you want to list only the dis¬ 
play name of each running service. You can 
pipe the output of the Where-Object cmdlet 
to the Select-Object cmdlet: 

Get-Service | 

where {$_.status -eq ’running 1 } | 
select displayname 
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In this statement, the Select-Object cmdlet 
receives the object from the Where-Object 
cmdlet. In this case, the statement uses the 
where alias to reference the Where-Object 
cmdlet and the select alias to reference the 
Select-Object cmdlet. In the select cmdlet, 
you specify the name of the property (or 
properties) that you want to display. For 
this example, I've specified the displayname 
property. The statement will now output 
results similar to those in Figure 3. 

The key to using pipelines is to remember 
that you're always working with objects. Each 
cmdlet generates an object that the next 
cmdlet in the pipeline receives. Even the final 
cmdlet generates an object that outputs the 
statement results. As you progress through 
the lessons, you'll learn how to use those 
objects and their properties to refine your 
PowerShell statements. 

Formatting Statement 
Output 

By default, PowerShell formats a state- 


as shown in Figure 4. If you don't want the 
output in this default format, you can pipe 
the statement output to a format cmdlet. 
PowerShell supports four cmdlets that for¬ 
mat output: 

• The Format-Table cmdlet displays data in 
a table (Figure 4). This is the default for¬ 
mat for most cmdlets, so you often don't 
need to specify it. 

• The Format-List cmdlet displays data in 
a list. 

• The Format-Wide cmdlet displays data in 
a wide table that includes only one prop¬ 
erty value for each item. 

• The Format-Custom cmdlet displays 
data in a custom format, based on stored 
configuration information in a .pslxml 
format file. You can use the Update- 
FormatData cmdlet to update a format 
file. (A discussion of the Update-Format- 
Data cmdlet and format files is beyond 
the scope of these lessons. See Power- 
Shell's “Update-FormatData" Help file for 
more information.) 



Figure 4: Displaying output in a table format 
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To change the format of the output from 
the preceding statement, you can pipe it to 
the Format-List cmdlet: 

Get-Process powershell | 

Format-List 

Now your results will be similar to those in 
Figure 5. Notice that the list format displays 
only a subset of the information displayed in 
the table format. The information displayed 
differs between formats. PowerShell deter¬ 
mines how to format the results based on 
object type. In other words, the format type, 
layout, and properties returned are specific 
to the type of object. For example, the results 
returned by the Get-Childltem cmdlet when 
retrieving file system information will be dif¬ 
ferent from the results returned when retriev¬ 
ing information about the registry because 
they're two different types of objects, even 
though the same cmdlet is used. PowerShell 
uses a set of complex XML format (.pslxml) 
files to determine how to display the results. 

Controlling Statement 
Output 

When you execute a statement, PowerShell 
applies the default format to the output and 
sends that output to the console window, 
unless you override this behavior by using 
one the four format cmdlets I just described. 
However, you can also control where to send 
that output. PowerShell provides six cmdlets 


for controlling output: 

• The Out-Host cmdlet sends output 
to the PowerShell console. This is the 
default output cmdlet, so you don't 
need to specify it. 

• The Out-Default cmdlet sends output 
to the default formatting cmdlet. In 
addition, Out-Default delegates the 
outputting process to the Out-Host 
cmdlet. You don't need to specify the 
Out-Default cmdlet. 

• The Out-File cmdlet sends output to a 
specified file. 

• The Out-Null cmdlet deletes output 
and doesn't send it to the PowerShell 
console. 

• The Out-Printer cmdlet sends output 
to a printer. 

• The Out-String cmdlet converts the 
pipeline object to an array of strings. 

You can find additional information 
about each cmdlet in the PowerShell 
Help files. 

To control a statement's output, add 
the output cmdlet at the end of your 
pipeline. For example, the following 
statement formats the PowerShell pro¬ 
cess information into a list, then sends 
that list to the C:\SysInfo\ps.txt file: 

Get-Process powershell | 

Format-List | 

Out-File C:\SysInfo\ps.txt 
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Figure 5: Displaying output in a list format 
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Figure 6: Sorting data based on property values 


When you send outputto a file, 
PowerShell saves the content 
to the file but doesn't display 
it in the console. You can use 
the Out-File cmdlet to send 
output to any type of file that 
makes sense. For example, 
you wouldn't want to send 
text to a .bmp file. Although 
this wouldn't throw an 
error, you 
wouldn't 
be able to view 
anything when 
you opened the 
file. 

The Out- 
File cmdlet lets 
you choose 
whether to 
append the 
output to the 
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Learning Path 


For more information about pipelining: 

“Piping and the Pipeline in Windows PowerShell” 
www.microsoft.com/technet/scriptcenter/topics/ 
winpsh/manual/pipe.mspx 

For more information about how to format 
output: 

“What Can I Do With Windows PowerShell? Using the 
Format-List Cmdlet” 

www.microsoft.com/technet/scriptcenter/topics/msh/ 

cmdlets/format-list.mspx 

“What Can I Do With Windows PowerShell? Using the 
Format-Wide Cmdlet” 

www.microsoft.com/technet/scriptcenter/topics/msh/ 

cmdlets/format-wide.mspx 

For more information about how to control 
where output is sent: 

“What Can I Do With Windows PowerShell? Using the 
Out-File Cmdlet” 

www.microsoft.com/technet/scriptcenter/topics/msh/ 

cmdlets/out-file.mspx 

“What Can I Do With Windows PowerShell? Using the 
Out-Printer Cmdlet” 

www.microsoft.com/technet/scriptcenter/topics/msh/ 
cmdlets/out-printer.mspx 
“Making PowerShell’s Out-Printer Cmdlet Easier to 
Use,” InstantDoc I D 97632 

For more information about how to sort 
output: 

“What Can I Do With Windows PowerShell? Using the 
Sort-Object Cmdlet” 

www.microsoft.com/technet/scriptcenter/topics/msh/ 

cmdlets/sort-object.mspx 

If you’re beyond the basics, check out: 

“PowerShell One-Liners for Managing the File 
System,” InstantDoc I D 96320 
“PowerShell Script Lets You Check Patches’ Status,” 
InstantDoc I D 97609 
“Understanding PowerShell Security,” 

InstantDoc I D 94624 

_ 



file or replace the existing content with the 
output. By default, it replaces any existing 
content. To append the output, you need 
to add the -append switch to the Out-File 
cmdlet: 

Get-Process powershell | 

Format-List | 

Out-File C:\SysInfo\ps.txt 
-append 
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HOW TO HANDLE LONG 
POWERSHELL STATEMENTS 

A s a PowerShell statement grows larger, it’s not always practical to enter it on a single 
line in the PowerShell console window. You can enter a long statement on several lines, 
but you must take into account how PowerShell treats new lines. When PowerShell 
determines that a line is incomplete, it continues to the next line when processing the state¬ 
ment. For example, when the first line in a statement ends with the pipe operator, as in 

Get-Service | 

where {$_.status -eq 'running'} | 
select displayname 

PowerShell knows that the statement continues to the next line. This statement returns 
results similar to those shown in Figure 3. Notice the multiline prompt (») that precedes 
each line after the first line. When PowerShell expects a line to continue to a second line, 
it uses a multiline prompt for that line. You then type the next line of code at that prompt. 
Once PowerShell enters this multiline mode, it will continue in this mode and always prompt 
you with the multiline prompt. When you finish entering the last line, press Enter a second 
time to execute the command and return to the normal prompt. 

Now suppose you break the statement before the pipe operator: 

Get-Service 

| where {$_.status -eq 'running'} 

| select displayname 

PowerShell now interprets the first line as complete and processes it as an entire statement. 
PowerShell then tries to process the second line, which results in the error message: An 
empty pipe element is not permitted. 

You can remedy this situation by adding a back tick Q to the end of the lines: 
Get-Service 

| where {$_.status -eq 'running'} 

| select displayname 

The back tick tells PowerShell that the statement continues to the next line. The statement 
now returns the same information shown in Figure 3. 

PowerShell processes any line that it thinks is a complete statement. In other words, it 
automatically terminates a statement when it reaches a new line unless it thinks that the 
statement continues. However, you can also manually terminate a statement by adding a 
semi-colon (;) at the end: 

Get-Service | 

where {$_.status -eq 'running'} | 
select displayname; 

This statement returns the same results as those shown in Figure 3. 

InstantDoc ID 97958 


Sorting Statement Output 

In addition to formatting output, you'll often 
find that you'll want to sort output. To sort 
output, you use the Sort-Object cmdlet. This 
cmdlet takes the input objects from the pipe¬ 
line and sorts them based on the criteria you 
define. As I mentioned previously, Power- 
Shell streams the results down the pipeline 
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from one command to the next. However, 
when you sort data, the Sort-Object cmdlet 
waits until it has all the results (objects) and 
then sorts them. This effectively stops the 
streaming process until everything is sorted. 
For a small result set, this isn't a problem, but 
it could impact performance when retrieving 
large amounts of data. 


Still, the Sort-Object cmdlet can be 
a handy tool. For example, suppose you 
want to retrieve a list of the items in the 
C:\Windows folder. You can use the Get- 
Childltem cmdlet in a statement such as 

dir c:\windows | 

where {$_. length -gt 500000} | 

sort -property length -descending 

This statement passes the output object 
from the Get-Childltem cmdlet (referenced 
by the dir alias) to the Where-Object cmd¬ 
let (referenced by the where alias). The 
Where-Object cmdlet specifies that the 
length must be greater than (specified by 
-gt) 500,000 bytes. The results are then 
passed down the pipeline. When the Sort- 
Object cmdlet (referenced by the sort alias) 
has all the objects, it sorts them based on 
the defined criteria. 

In this case, the Sort-Object cmdlet first 
specifies that the sorting should be based on 
the Length property. The -descending switch 
indicates that the results should be sorted 
in descending order, as shown in Figure 6, 
page 61. If you don't specify the -descending 
switch, the results are sorted in ascending 
order. In addition, you can specify more than 
one property (separated by commas) on 
which to base the sort order. PowerShell sorts 
the data first by the first property specified, 
then by the second, and so on. 

Moving Forward 

As this lesson demonstrates, the PowerShell 
pipeline is a powerful feature that lets you 
combine multiple cmdlets to perform a series 
of successive operations on one or more 
objects. You can pipe together multiple cmd¬ 
lets into a statement, format the output from 
that statement, specify where to place the 
output, and even sort the outputted informa¬ 
tion. In the lessons to follow, you'll learn how 
to enhance your statements even further so 
you can take full advantage of PowerShell's 
pipeline capabilities. ^ 
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rent state of Windows. 
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Windows IT Pro. Mark has also authored 17 other technology books, spoken on technical topics in 20 countries, and written and appeared in a dozen techni¬ 
cal education videos. His most recent works are Mastering Windows 2000 Server, Third Edition and Mastering Windows XP Professional. He has also writ¬ 
ten Linux for NT/2000 Administrators and a seventh edition of Mastering Windows NT Server 4.0. 
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EXCHANGE SERVER 2007 SP1 OVERVIEW 
MICROSOFT 

This session will introduce the latest changes to be introduced in the first serv¬ 
ice pack for Microsoft Exchange Server 2007. This service pack includes new 
features such as Standby Continuous Replication (SCR) as well as extensions to 
existing functionality such as Public Folder access in Outlook Web Access. 

EXCHANGE SERVER 2007 SP1 DEPLOYMENT PLANNING 
MICROSOFT 

Exchange Server 2007 brings with it many new concerns for implementation 
given the new 'roles-based' nature of the product. Migration approaches are 
necessarily different from previous versions too, given new hardware 
dependencies. In this session, we take a comprehensive look at all of the new 
requirements and techniques. This session has been updated to include SP1- 
specific content. 

MICROSOFT EXCHANGE 2007 ARCHITECTURE AND DESIGN 

AT MICROSOFT 

MICROSOFT 

Ever wondered how a large enterprise plans and implements design and archi¬ 
tecture of its next generation of messaging system? Join us in this session 
where engineers from the Microsoft IT messaging team will uncover the details 
on how Exchange 2007 infrastructure was introduced and fully deployed in a 
120,000+ mailbox production environment. Topics will include: messaging topol¬ 
ogy design, hardware planning for various Exchange server roles, Client Access 
Server and Mobility scenarios, Transport architecture, Mailbox server and stor¬ 
age designs, backup, restore and high availability strategies. 

MICROSOFT WINDOWS POWERSHELL SCRIPTING FOR 
MICROSOFT EXCHANGE SERVER 2007 
MICROSOFT 

This session covers the new Windows PowerShell-based Exchange cmdline and 
scripting interface. Learn how to convert your multiple page Visual Basic and 
COM scripts to mere one-liners in Microsoft Exchange 2007. We cover the basics 
of the management shell, as well as the underlying design and key concepts. 
Additionally, we go into more depth on how to build larger scripts that can be 
used to automate small and medium, as well as enterprise business scenarios. 

MESSAGE SECURITY AND HYGIENE IN EXCHANGE SERVER 2007 
MICROSOFT 

Come to this session and find out how Exchange Server 2007 can authenticate 
and encrypt mail within your network. Put your questions to the experts and 
learn how anti-spam and antivirus can be deployed with Exchange Server 2007 
in your environment. Are you interested in how you can maintain system 
integrity by adjusting spam and virus settings and implementing the appropri¬ 
ate security policies? Ask questions and work through real world scenarios with 
Microsoft's experts to discover how end-users can also manage junk email. 

EXPLORING COMPLIANCE IN EXCHANGE SERVER 2007 
MICROSOFT 

As e-mail becomes the standard of business communication, companies are 
increasingly looking for better ways to control their messaging systems. Not 
only is the sheer volume of e-mail a challenge, but the information stored in 
them is generally unregulated and can leave a company exposed to litigation. 

In this session, you'll learn how to deploy compliance and policies within your 
environment using the various capabilities in Exchange Server 2007. You'll see 
how you can provide end-users with the capability to keep what needs to be 
kept; and to expire what is no longer valuable by implementing a Messaging 


Records Management solution. You'll also learn how transport rules, transport 
journaling and other capabilities in Exchange Server 2007 can be used to help 
your organizations achieve compliance. 

HIGH AVAILABILITY FOR EXCHANGE SERVER 2007 SP1 
MICROSOFT 

E-mail has become mission-critical for the large and the small. Businesses and 
organisations of all types can no longer afford the extended outages of disas¬ 
ters like failed disks, corrupt databases, failed servers, or power outages. 
Microsoft Exchange Server 2007 provides simplified in-the-box high-availability 
solutions that make recovery from many disasters barely noticeable to end 
users. Learn how Local Continuous Replication, Cluster Continuous Replication, 
Standby Continuous Replication and Single Copy Clusters provide fast recovery 
for events that used to be called disasters. 

STRATEGIES IN DISASTER RECOVERY: FROM DISK TO SITE 
FAILURE FOR MICROSOFT EXCHANGE SERVER 2007 
MICROSOFT 

Disasters can range from single database corruption to natural disasters that 
take out an entire datacenter. Are you prepared for the set of outages that can 
affect your e-mail service or data availability? Have you defined your strategies 
for the small to the big outage? This session covers the range of disaster 
recovery strategies possible in Microsoft Exchange Server 2007, culminating in 
the ultimate of all disasters - recovering from a full site failure. 

EXCHANGE SERVER 2007 UNIFIED MESSAGING: FEATURES 

AND DEPLOYMENT 

MICROSOFT 

Microsoft has included Unified Messaging natively in Exchange Server 2007. In 
this session, learn about the features, benefits, and architecture of Exchange 
Unified Messaging. See how Exchange can take voicemail and fax messages; 
how you can call in over any phone to access your voicemail, e-mail, calendar, 
or contacts; how you can build automated attendants; and how speech access 
is integrated into the product. Learn how easy it is to configure and deploy 
Exchange Unified Messaging for your organization. 

EXCHANGE UNIFIED MESSAGING: PBX CONNECTIVITY 
MICROSOFT 

Think Unified Messaging is hard to deploy? Think again! This session will pro¬ 
vide an overview of the technical components of Exchange 2007 UM, explain 
how UM connects to PBX and IP PBX equipment, and sample configurations of 
simple UM deployments, all in one session! 

EXCHANGE 2007 SP1: EXCHANGE ACTIVESYNC AND OUTLOOK 

WEB ACCESS 

MICROSOFT 

This session covers enhancements to OWA and EAS in Exchange Server 2007, 
with particular attention to SP1. See highlights of new SP1 features in both OWA 
and EAS: e.g., public folders, rules, calendar views and auto-discovery. Hear 
about the latest mobile scenario security enhancements. Learn about the latest 
updates to the EAS-OWA better together mobile experience. Get guidance on 
managing these features. Discover why OWA and EAS together give information 
workers the most powerful Exchange mobile experience. 

EXCHANGE SERVER 2007 SP1: TIPS AND TRICKS 
MICROSOFT 

This session will provide information on how to get more out of Exchange 
Server 2007 and Exchange Server 2007 SP1. It includes tips and tricks on con- 
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figuring Exchange, managing Exchange, using the Exchange Management 
Shell, and more! 


UNIFIED COMMUNICATIONS 


INTRODUCING OFFICE COMMUNICATIONS SERVER 2007 AND 

OFFICE COMMUNICATOR 

MICROSOFT 

Software-powered VoIP will power the next generation of streamlined business 
communications. Without expensive infrastructure and network upgrades, 

Office Communications Server 2007 delivers software-powered VoIP, Web con¬ 
ferencing and enterprise instant messaging along with a rich Presence plat¬ 
form. See how Office Communications Server 2007 enables users to find and 
communicate with the right person, right now, from the applications they use 
most whether at the office, at home, or on the road. 

MICROSOFT OFFICE COMMUNICATIONS SERVER 2007 

ARCHITECTURE AND DEPLOYMENT 

MICROSOFT 

This session will describe the unified communications architecture behind 
Office Communications Server 2007 as well as the logical and physical deploy¬ 
ment models for the servers. Join us for the session to hear about new capabil¬ 
ities delivered by Office Communications Server 2007. We will be discussing 
core architecture, server roles and decisions you have to make when planning 
and designing your Office Communications Server 2007 deployment. Sessions 
will include deployment best practices and demos. By the end of the session 
you should have enough background information to start thinking about your 
own deployment regardless of the size. 

PLANNING VOICE ARCHITECTURE AND DEPLOYMENT IN OFFICE 

COMMUNICATIONS SERVER 2007 

MICROSOFT 

This session will cover the different voice related components from an architec¬ 
tural perspective, dialplan and routing concepts with specific examples and 
guidelines, voice deployment scenarios that are supported in Office 
Communications Server 2007 

ADMINISTRATION AND MANAGEMENT OF OFFICE 
COMMUNICATIONS SERVER 2007 
MICROSOFT 

Office Communications Server 2007 offers an intuitive and an extensible man¬ 
agement interface. Come and ask the experts how you can completely manage 
your Office Communications Server infrastructure with low overhead. In this 
interactive session we will take questions on the automation capabilities of the 
Office Communications Server management interface. Do you want to know 
how it integrates with Microsoft Operations Manager? Come and ask and how 
you can use it to monitor your Voice quality. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


MICROSOFT'S WEB CONFERENCING SOLUTION 
MICROSOFT 

Learn about Web conferencing technology provided by Microsoft Office 
Communications Server 2007 and the Office Live Meeting service. Microsoft's 
Web conferencing technology helps businesses connect disconnected organiza¬ 
tions with tools for online meetings, events, training, and collaboration while 
offering choices for deploying this functionality via on-premise server or hosted 
service. See demos of rich Web conferencing features, such as rich media, two- 
way audio, and live panoramic video with Microsoft Roundtable. Understand the 
differences at a feature level between the on-premise and the service offerings. 

DEPLOYING AND MANAGING YOUR UC DEVICES: TANJAY, 

CATALINA, ROUNDTABLE 

MICROSOFT 

In this session you will learn about how to deploy and manage UC Devices, that 
is Office Communicator Phone Edition (codename ''Tanjay") and Microsoft 
RoundTable. These devices are designed to be plug-and-play and they are, but 
there are a number of infrastructure requirements for it to work. You will learn 
about these infrastructure requirements (DHCP, DNS, NTP, Certificates, Exchange 
2007) and we will explore in detail the OCS 2007 Software Update Service. This 
component is able to update UC Devices with new firmware and in general 
includes a number of additional management features for UC Devices. After this 
session you will be able to understand what is needed to deploy UC Devices and 
you will know how to maintain the devices. 

SOFTWARE POWERED VOIP: TOPOLOGY AND CONFIGURATION 
MICROSOFT 

In this session we will start with everything outside of the server, the wider envi¬ 
ronment to which Office Communications Server will integrate and planning for 
deployments of Office Communications Server (Office Communications Server) 
2007. We will present the different enterprise environments that you will find on 
customer sites and the scenarios to integrate Office Communications Server 
2007 with each of the different environments. You will learn about where to 
place Mediation Server and Gateways, which Gateways are supported, and how 
to provision the gateways for optimum capability. Eollowing this you will also 
learn about everything inside the server, including Location profiles, Number 
Normalization rules, Reverse Number Lookup and how to configure routes on 
Office Communications Server 2007. You will learn how to restrict users from 
dialing unauthorized numbers by using phone usages and what you have to con¬ 
sider when you deploy in conjunction with existing PBX environments. 

MIGRATING FROM MICROSOFT OFFICE LIVE COMMUNICATIONS 
SERVER (LCS) 2005 TO OFFICE COMMUNICATIONS SERVER 
(OCS) 2007 
MICROSOFT 

Migrating an LCS 2005 SP1 environment to Office Communications Server 2007 
requires careful planning for server deployments and client deployments. The 
session will present the most important aspects that drive the deployment and 
migration strategies and provide recommendations on how to accomplish a 
successful migration. 


DIVE INTO THE NEW RELEASES WITH MICROSOFT 
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MICROSOFT EXCH 

CONFERENCE SESSIONS 


SOMETIMES SIP JUST AIN'T ENOUGH 
MICHAEL PRZYTULA 

This session will look at some of the issues you 
can encounter when natively integrating IP-PBX's 
with OCS Enterprise Voice functionality, such as 
dealing with E.164, RNL, backboning multiple IP- 
PBX' via OCS, number normalization, and many 
other interoperations issues as well as the ways to 
work around some current native limitations. 

MONITORING OCS WITH MOM AND 
QOE SERVER 
MICHAEL PRZYTULA 

What is the Quality of your Users' experience (and 
the people they call) since you have deployed OCS 
to provide your companies voice services? Is the 
service stacking up against the quality of calls you 
had on your traditional PBX before OCS? This ses¬ 
sion will look at how you can use the combination 
of MOM and the OCS QoE Server to analyze your 
organization's use of OCS Voice and Video servic¬ 
es, pinpoint any poor quality hotspots and take 
moves to address them. 

OPTIMIZING MICROSOFT ROUNDTABLE 

DEPLOYMENTS 

MICHAEL PRZYTULA 

The ultimate Plug-and-Play device, right out of 
the box, you can plug it in and start using its 
360° panoramic video and VoIP capabilities; how¬ 
ever, there is much more you can do to further 
optimize your experience with Microsoft 
RoundTable. This session will look at the finer 
points of tuning RoundTable to provide the most 
optimized experience in rooms of different 
shapes, sizes, configuration, lighting conditions, 
and even different countries! Using details from 
this session, you will be able to enhance your 
users' collaboration experiences even more! 

WINDOWS FAILOVER CLUSTERING FOR 
EXCHANGE ADMINISTRATORS 
JUERGEN HASSLAUER 

In the past the majority of Exchange deployments 
used standard servers so many Exchange adminis¬ 
trators have limited exposure to clustering tech¬ 
nologies. With the introduction of Cluster 
Continuous Replication (CCR) in Exchange Server 
2007, the pros and cons for clustering Exchange 
have to be reevaluated. Windows Server 2008 will 
additionally increase the number of clustered 
mailbox server deployments. Therefore, it is nec¬ 
essary that Exchange administrators understand 
the Windows Eailover Clustering concept. This ses¬ 
sion describes the different cluster architectures 
used by the two implementation alternatives for a 
Clustered Mailbox Server (CMS) in Exchange Server 
2007, CCR, and Single Copy Cluster (SCC). You will 
learn how Windows Server 2008 simplifies the 
setup and management of a cluster and what you 

www.WinConnections.com 


have to consider for a geographically dispersed 
deployment of a CMS. 

EXCHANGE SERVER 2007 CONTINUOUS 
REPLICATION 

JUERGEN HASSLAUER 

Exchange Server 2007 supports continuous data 
replication and enables administrators to create a 
second copy of the data stored in the information 
store. We will discuss Local Continuous Replication 
(LCR), Cluster Continuous Replication (CCR), and 
Standby Continuous Replication (SCR). You will 
learn how you can use these application built-in 
replication methods for geographically dispersed 
deployments. This session will help you to make 
an informed decision about when to use LCR, CCR, 
SCR, or a traditional storage-based replication 
solution from a third-party vendor. 

OFFICE COMMUNICATOR: EXTEND YOUR 
MESSAGING ENVIRONMENT WITH REAL¬ 
TIME COMMUNICATION 
JIM MCBEE 

Many IT managers and professionals equate popu¬ 
lar instant messaging applications with corporate- 
level, real-time communications and thus dismiss 
the concept all together. The quick dismissal of 
this emerging technology may be denying your 
organization powerful new tools for collaborating. 
We are on the verge of a new step in real-time 
communication evolution that will integrate func¬ 
tions of e-mail, calendaring, and instant messag¬ 
ing. Come to this session to learn about some of 
the exciting developments in the convergence of 
and integration between Office Communicator, 
Exchange Server, voice mail, and your telephone. 

EXCHANGE 2007 MIGRATIONS: LESSONS 
LEARNED IN THE FIRST 100 DAYS 

JIM MCBEE 

Eollow the real-life implementation of an early 
adopter of Exchange 2007. This session will start 
with an overview of an organization's Exchange 
2000 architecture and some of their goals for an 
early implementation of Exchange 2007. The ses¬ 
sion will then cover the planning process, server 
consolidation factors, hardware requirements, 
existing software that integrates with Exchange, 
and meeting prerequisites. This session will also 
include many of the hurdles that this organization 
faced in completing their migration. 

EXCHANGE STORAGE SIZING AND 
HARDWARE EXPOSED 
JIM MCBEE 

Some messaging professionals view the process of 
sizing disk capacity as nothing more than tossing 
a lot of disk storage at the Exchange server and 
hoping it will be enough. This approach frequently 
yields poor results. If you have enough disk capac¬ 


ity, there is still no guarantee that you have sized 
the disk I/O capacity necessary to support your 
user community. In this session, you will learn not 
only about the factors that affect disk storage 
capacity, but also how to anticipate the I/O capaci¬ 
ty. Topics include estimating message data stor¬ 
age, determining factors that increase disk stor¬ 
age overhead, calculating I/O capacity, and deter¬ 
mining if you have sufficient I/O capacity for your 
current user community. 

EXCHANGE PROTECTION USING DATA 
PROTECTION MANAGER 
DEVIN GANGER 

Backing up and restoring Exchange servers is an 
essential part of keeping your messaging infra¬ 
structure up and running, even when you're run¬ 
ning an advanced clustering configuration. Why 
should you consider using Microsoft System 
Center Data Protection Manager 2007 to protect 
your Exchange servers and clusters? What config¬ 
urations are supported and what limitations does 
this place on my Exchange design? This session 
covers protecting Exchange 2003 and 2007 
servers' clustered configurations, including the 
new Exchange 2007 replication options. 

DISCOVERY, COMPLIANCE, ARCHIVAL, 
AND RETENTION WITH EXCHANGE 

DEVIN GANGER 

Discovery, Compliance, Archival, and Retention: 
they're challenges every Exchange administrator 
faces. Whether you're using Exchange 2000,2003, 
or 2007, join the author of the Windows IT Pro 
Email Discovery and Compliance e-book to find out 
how to solve these challenges using Exchange. 

Eind out what you can do out of the box and when 
you'll need to invest in third-party software. 

UPGRADING TO EXCHANGE SERVER 
2007: BEST PRACTICES 
DEVIN GANGER 

The common knowledge says that upgrading to 
Exchange 2007 isn't nearly as hard as the upgrade 
from Exchange 5.5. That's not to say that it does¬ 
n't present its own set of challenges-and if you're 
caught by them, it will still feel like getting run 
over by a truck. This session will present some of 
the common gotchas and how to avoid them. Be at 
the head of the upgrade parade, not caught in the 
wheels. This session has been upgraded to include 
the latest information on the SP1 release. 

CUSTOMIZING OUTLOOK WEB ACCESS IN 
EXCHANGE 2007 
WILLIAM LEFKOVICS 

Some enterprises may want to enforce branding of 
Outlook Web Access. A disclaimer or policy state¬ 
ment regarding use of corporate e-mail resources 
may accompany a customized Logon screen. We 


APRIL 27-30, 2008 ■ ORLANDO, FLORIDA 


6 





will also look at creating themes with OWA 2007 
using Cascading Style Sheets (CSS). The tools we 
will use for this adventure include Microsoft 
Expression Web. We will create a custom OWA as 
part of the demo. 

TRANSPORT RULES WITH EXCHANGE 
2007/0UTL00K 2007 
WILLIAM LEFKOVICS 

We will make a CASE (Conditions, Actions, Scope, 
Exceptions) for the value of transport rules and 
how they may be used within an organization. 

This includes the use of ethical walls, appending 
text to messages, and enforcing policy. We will 
also show how Outlook 2007 message classifica¬ 
tion and categorization can be used to further 
empower transport rules. We will compare how 
transport rules differ between the hub and edge 
transport servers and create rules with the 
Exchange Management Console as well as the 
Exchange Management Shell. 

MESSAGE HYGIENE IN EXCHANGE 2007 
AND THE ANTI-SPAM MIGRATION TOOL 
WILLIAM LEFKOVICS 

We'll cover how to implement and configure the 
Transport Agents for anti-spam for Edge or Hub 
Transport servers with emphasis on the layered 
"Defense-in-Depth" approach. We will also cover 
migrating Anti-spam settings from Exchange 
2003 to an Exchange 2007 Edge or Hub 
Transport Server using the Microsoft Exchange 
Anti-spam Migration Tool. We will use both the 
Exchange Management Console and the 
Exchange Management Shell to configure mes¬ 
sage hygiene settings. 

MOBILE DEVICE SECURITY 
JOHN RHOTON 

The biggest obstacle deterring enterprises from 
the deployment of mobile devices is the concern 
around security risks that these devices expose. 
The content is vulnerable since mobility implies 
physical presence in public and uncontrolled envi¬ 
ronments using connectivity that is unmonitored 
and unmanaged by the enterprise. Devices are 
often lost or stolen. Wireless transmissions are 
physically accessible to anyone. Public networks 
may harbor malware, probes, denial-of-service 
attacks, and many other threats that can compro¬ 
mise the device, and potentially through it, assets 
on the corporate network. This presentation dis¬ 
cusses the primary wireless and mobile concerns 
and the mechanisms that can be used to address 
them. It will provide an overview of the products 
offering mobile security solutions and also pro¬ 
poses best practices in developing a complete 
security framework that can enable mobility with¬ 
out unacceptable risk to the enterprise. 


MOBILE DEVICE MANAGEMENT (MDM) 
JOHN RHOTON 

The biggest challenges in initially deploying a mobile 
application are to provide connectivity and security. 
Once this has been achieved scalability becomes a 
growing concern. The infrastructure itself may scale 
very well but any manual process to provision, 
update, and support a large number of devices will 
become very costly. Mobile device management 
includes automatic configuration of mobile devices, 
software deployment, remote configuration and 
updates, inventory, and policy enforcement. This ses¬ 
sion will provide an overview of the OMA-DM (Open 
Mobile Alliance-Device Management) standard, typi¬ 
cal MDM architectures, market leading products 
(including Microsoft System Center Mobile Device 
Management) and provide insight into the chal¬ 
lenges and best practices in deploying MDM. 

POWERSHELL FOR BEGINNERS 

PAUL ROBICHAUX 

The Exchange Management Shell (EMS) is a key 
part of the Exchange 2007 experience. What if 
you're not a scripter? Don't worry; you can still 
get plenty done with EMS after just a little learn¬ 
ing. This session covers the basics of what you 
need to know about how EMS works and what 
you can do with it. 

PROTECTING DOCUMENTS AND E-MAIL 
MESSAGES WITH RIGHTS MANAGEMENT 
SERVICES 

DUNG HOANG-KHAC 

Have you ever wished that your internal e-mail 
messages or confidential documents stored on 
SharePoint would not go into the wrong hands? 
Have you ever been thrilled to know who has 
access to your documents and who does not? 
Come to this session to learn about Active 


Directory Rights Management Services. AD RMS is 
now a Windows component integrated with 
Windows Vista and Windows Server 2008 and is a 
Windows platform protection technology used to 
enable secure collaboration between multiple 
organizations. With AD RMS, you can ensure that 
sensitive documents are encrypted and authoriza¬ 
tion rights are set within the documents. Every 
time a user opens a document, permissions are 
always checked no matter where this document 
resides, inside or outside of your organization! 

CONSOLIDATING MANAGEMENT OF 

EVENT LOGS 

DUNG HOANG-KHAC 

After deploying Exchange 2007, you are enjoying 
management of Exchange servers from a single 
GUI console or from its powerful command line 
interface. However, to monitor events that have 
occurred in an Exchange environment, you still 
need to employ different tools to consolidate 
Exchange events in a central location for further 
analysis. There are several free but unsupported 
tools that help collect event logs from remote 
servers, and then it's up to administrators to 
browse through those files and filter out noise 
events to extract useful information. Wouldn't it be 
nice if the operating system could do the work for 
you? Simply specifying the event IDs you are inter¬ 
ested in monitoring, a group policy that includes 
selected Exchange servers, and a rule to collect 
those events, and then you're done! Come to this 
session to learn about the new event architecture 
and remote management in Windows Server 2008 
and see how you can leverage the new event for¬ 
warding feature to better manage your application 
servers today! By the way, event forwarding also 
works on the Windows Server 2003 environment 
too, so you don't need to wait for an upgrade. 
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WINDOWS SERVER 2008 OVERVIEW 
MICROSOFT 

Windows Server 2008, in addition to incorporating new capabilities and 
enhancements to existing features, includes a number of improvements in 
the core OS that enhance the Operating System's capabilities in this area. 
Features aimed at increasing the ability of Windows Server 2008 to support 
highly critical workloads by improving operational reliability, reducing system 
failures, and easing management. We will also discuss improvements in other 
related elements in the platform that help Windows based systems and serv¬ 
ices help move an organization's IT Department forward. 

WINDOWS SERVER 2008 VIRTUALIZATION TECHNOLOGIES 
MICROSOFT 

The new Windows Server Virtualization technology, Hyper-V, and Presentation 
Virtualization technologies like Terminal Services RemoteApp are core features 
in Windows Server 2008. This session will provide you an overview of virtualiza¬ 
tion in Windows Server 2008, the scenarios, features, and benefits that make 
server virtualization an important scenario. Virtualization management is 
becoming a critical tool for improving overall manageability for the IT environ¬ 
ment. Join us in this session to learn how Hyper-V and our management tech¬ 
nologies build a strong flexible platform and improve overall manageability. 

WINDOWS SERVER 2008 WEB AND APPLICATION TECHNOLOGIES 
MICROSOFT 

Take a look at all the changes coming in the new, redesigned Internet 
Information Services (IIS) 7 and Windows Web Server 2008. This session 
focuses on new troubleshooting features, a breakdown of architecture and 
security improvements, and the new IIS 7 configuration system, remote man¬ 
agement, extensibility, business value, etc. 

WINDOWS SERVER 2008 SECURITY AND COMPLIANCE 

TECHNOLOGIES 

MICROSOFT 

Windows Server 2008 offers rich capabilities for securing your IT 
Infrastructure and proving tools to ease with compliance mandates. This ses¬ 
sion will discuss the Windows security and compliance features such as 
Network Access Protection, Right Management Services, and Active Directory 
Federation Service subsystem, why auditing is important, and how to config¬ 
ure an audit policy updated Windows Server 2008 event subsystem. 

WINDOWS SERVER 2008 PERFORMANCE AND SCALABILITY 
MICROSOFT 

A discussion of Windows Server 2008 OS performance features, results, and 
references. The presentation will cover the themes behind the performance 
investments on Windows Server 2008 and how they are applicable to real- 
world scenarios. Some of the areas covered are file serving, networking 
advancements, Web and application serving, virtualization, terminal services 
and general scale-up advancements. 


IDENTITY AND ACCESS TECHNOLOGIES IN WINDOWS 

SERVER 2008 

MICROSOFT 

Windows Server 2008 is an advanced operating system that can help you 
maximize control over your infrastructure while providing higher availability 
and management capabilities, leading to a more secure, reliable server envi¬ 
ronment. In this presentation, learn how you can help your organization 
reduce identity and access security risks with Windows Server 2008. We also 
examine how Windows Server 2008 can help you decrease operational costs, 
satisfy regulatory requirements, and deepen relationships with customers 
and partners. 

MANAGEMENT TECHNOLOGIES IN WINDOWS SERVER 2008 
MICROSOFT 

Windows Server 2008 makes significant improvements in server manageabili¬ 
ty with a one-stop administrative solution called Server Manager. This 
streamlined management tool allows IT administrators to complete setup of 
Windows Server using the Initial Configuration Tasks page, and configure and 
manage server roles and features with prescriptive wizards, a unified man¬ 
agement console, and a command-line interface. This session will present and 
demonstrate the configuration and management capabilities of Server 
Manager and introduce some new features of Server Manager in the Windows 
Server 2008 including integration of the Hyper-V role and Remote Server 
Administration Tools. We will also explore how Windows PowerShell, Windows 
Remote Administration, and Event Forwarding can be part of an overall server 
management strategy. 

WINDOWS SERVER AND VISTA : SOLID ENTERPRISE 
MICROSOFT 

In this session, we discuss many new features shared by the Windows Vista 
and Windows Server 2008 operating systems. We start by talking about why 
Windows Server 2008 and Windows Vista are so closely related, and how 
together they enable many new and exciting features that promote more effi¬ 
cient management. We talk about the new features that make data more 
available, such as improvements to offline files, client-side print rendering, 
the transactional file system, and policy-based Quality of Service (QoS). 

Finally, we review such things as the new TCP/IP stack and Server Message 
Block (SMB) 2.0 protocol that speed network communications in Windows 
Server 2008 and Windows Vista. Attend this session to learn how Windows 
Server 2008 and Vista work better together. 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 
SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 


Replicate server images to remote locations 
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WSE201: REIMAGINING FILE SHARE 
SECURITY AND MANAGEABILITY 
DAN HOLME 

Windows Server 2008 improves on the solid per¬ 
formance and functionality of previous versions 
of Windows file services. Features such as file 
screens, quotas, DFS Namespaces, access-based 
enumeration, and the powerful new Owner Rights 
identity are important pieces of the puzzle. But 
to implement the perfect file server, you need 
more. You need the ability to answer the ques¬ 
tions, "Who has access to this file?" and "What 
can John Doe get to?" Get the free tools and 
scripts you need for a more manageable file 
server. This session will cover: Changes to the 
capabilities and functionality of security user 
interfaces and NTFS permissions; The new Owner 
Rights identity; Access-based enumeration (ABE); 
Symbolic links; Provisioning secured shared fold¬ 
ers; Abstracting the storage and presentation of 
data folders for manageability and security; File 
screens; Quotas; Custom scripts and tools to ana¬ 
lyze and report file and folder access. 

WSE301: ROLE-BASED MANAGEMENT: 
EXTREME MAKEOVER 
DAN HOLME 

Get out of the business of managing individual 
changes in your environment and unleash the 
power of role-based management. If you've ever 
asked, or been asked, "What can [name of user] 
do?" or "Who is able to get to [name of resource 
or application]?", this session is for you! In this 
you will learn how to implement role-based man¬ 
agement, in which users are defined by their 
business roles and where resource access and 
configuration are instantly, accurately, and 
auditably applied. Empower your enterprise to 
enable a documented, auditable structure for 
resource security, asset management, and more. 
Take away methodologies, scripts, tools, and 
guidance that are proven successful in the real 
world. This highly rated session is one of a kind 
and only at Windows Connections. 


WINDOWS TECHNOLOGIES 


WWN322: 64-BIT WINDOWS SERVER 2008 
VERSIONS: WHY SHOULD YOU CARE? 
GUIDO GRILLENMEIER 

In 2008, if you are an IT administrator and you 
are not aware of the ins and outs of 64-bit 
Windows, you have a problem. Driven by the need 
to deploy the 64-bit Windows OS to support appli¬ 
cations such as Exchange 2007, what are the 
challenges you'll face when moving down the 64- 
bit road: What does this mean for your 32-bit 
applications? Will they work and how? Will they 


perform better or worse? When considering 
deployment of Windows Server 2008, should you 
leverage the x64 architecture or move to 
Itanium? What's really the difference between the 
two? How does Windows Server 2008 support 
either architecture? This session explains the 
most important things to know about the differ¬ 
ent 64-bit Windows architectures and why you 
should care about them. Special focus will be put 
on 32-bit compatibility challenges and solutions 
as well as discussing deployment scenarios for 
the 64-bit versions of Windows Server 2008. 

WWN323: ACTIVE DIRECTORY DISASTER 
RECOVERY IN WINDOWS SERVER 2008 
GUIDO GRILLENMEIER 

Backing up and restoring your complete Active 
Directory forest-or objects that you have acciden¬ 
tally deleted in a domain-has always been a lot of 
fun with previous versions of the Windows Server 
OS. Come to this session to find out how much 
more fun you can have restoring your AD or specif¬ 
ic objects with Windows Server 2008! Microsoft has 
invested a lot of resources to completely overhaul 
the mechanisms and tools to back up Windows 
Servers in this OS release. This change has various 
impacts on the strategy you use to back up your 
AD Domain Controllers and how you restore them. 

It may even impact how you configure your domain 
controller disk subsystem. But there is a lot of 
good news when it comes to recovering objects in 
AD, which will be demonstrated in detail in this ses¬ 
sion. We'll also discuss those recovery tasks that 
continue to be a challenge. 

WWN321: ADMINISTRATORS' IDOL: THE 
COOLEST SESSION EVER 
DAN HOLME 

OK, the title got your attention at least, right? So 
here's the scoop. Erom his work with thousands 
of IT professionals, from the CIOs of Fortune 
companies to front-line support professionals at 
the Olympic games with NBC, Dan has amassed a 
wealth of tricks to boost your productivity as an 
administrator. In this fast-paced session, Dan will 
share how to build truly amazing administrative 
toolsets that extend your reach, automate 
tedious tasks, and enable your entire IT organiza¬ 
tion to work smarter, faster, and more securely. 
You'll learn tricks that will amaze not only your 
friends and coworkers, but yourself as well. 
Typically part of a post-conference workshop, 
we've brought this gem into the main event as a 
fantastic way to cap off your Windows 
Connections experience. Don't miss it! 

WWN221: BREAKING UP IS HARD TO DO: 
DIVESTING RESOURCES OUT OF YOUR AD 
SEAN DEUBY 

Acquisitions and divestitures are a fact of busi¬ 
ness life. This doesn't mean that moving a busi¬ 


ness unit out of your Active Directory is an easy 
task, however. You have to juggle the technical 
aspects of removing the affected unit's users, 
groups, and computers while keeping disruptions 
of all involved parties to an absolute minimum- 
all without violating either company's informa¬ 
tion security policies. This session will step you 
through a large divestiture based on real-life 
experience, pointing out requirements, pitfalls, 
and best practices along the way. 

WWN220: DNS 2008 STYLE: HOW NAME 
RESOLUTION CHANGES IN SERVER 2008 
INFRASTRUCTURES 
MARK MINASI 

Server 2008's here, and so is DNS, 2008 style! 
What's the story with WINS, is it time to go? How 
does 2008's DNS affect Active Directory? What 
about those new "magic" records, the DNAME 
and GLOBALNAMES feature? And most important¬ 
ly, how the heck do I administer a DNS server 
running on Server Core? Find out with the Master 
of Name Resolution, Mark Minasi! 

WSE302: INCREASING THE SECURITY IN 
YOUR ACTIVE DIRECTORY USING 
WINDOWS SERVER 2008 
GUIDO GRILLENMEIER 

Active Directory has received various security 
updates in Windows Server 2008, some of which 
are hard to miss, such as the capability to 
deploy Read-Only Domain Controllers (RODC). 
However, there are plenty of other enhance¬ 
ments hiding under the hood that AD adminis¬ 
trators should know about to further tighten the 
security in their AD infrastructures. This includes 
features such as Owner Access Restriction, Fine 
Grained Password Policies, various updates 
around the Auditing capabilities of Active 
Directory, and the Admin-Role Separation fea¬ 
ture for RODC. This session will explain how best 
to leverage the various new features to ensure 
the operation of a secure Active Directory with 
Windows Server 2008. 

WWN222: MIGRATION STRATEGIES FOR 
WINDOWS SERVER 2008 
SEAN DEUBY 

Whether you're in the role of a single server 
administrator or owner of a corporate Active 
Directory, upgrading to Windows Server 2008 
requires thorough planning and testing. This ses¬ 
sion will review different migration strategies for 


Understand administrative 
templates (ADM and 
ADMX files)! 
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several Windows Server 2008 roles, with a focus 
on upgrading your Active Directory forest. 

WWN325: NOW THAT YOU'VE GOT IPV6 
(IN VISTA AND 2008), WHAT TO DO 
WITH IT? 

MARK MINASI 

Vista has arrived. 2008's arrived. And with them 
they bring ...IPv6. Your first reaction when you see 
an IPv6 address like "fe80::5efe:10.50.50.112'' might 
be "hmmm... that's a lotta colons, and I KNOW 
what comes out of colons!,'' but is that the RIGHT 
reaction? Join veteran Windows explainer Mark 
Minasi in a look at the latest version of IPv6... and 
whether you'll want to leave it on or turn it off. 

WWN101: PLANNING FOR WINDOWS 
SERVER 2008 AND VISTA LICENSING 
SEAN DEUBY 

Any rollout of Windows Server 2008 or Vista 
requires planning for Volume Activation 2.0. If 
you don't, your systems will grind to a halt a 
month after you've deployed them. You have to 
make a number of design decisions for your VA 
2.0 infrastructure; this session will provide you 
with key information from practical experience to 
help you plan. 

WWN326: SERVER CORE STEP BY STEP: 
GOING COLD TURKEY ON THE GUI 
MARK MINASI 

For years you've known it: you've just GOT to get 
more familiar with the command line. You get 
things done faster, you can create simple batch 
files for automating many tasks, and, best of all, 
when you're working from the GUI, your boss 
starts to think: ''Hey, what IS that thing he/she's 
using? We need to pay techie employees like them 
more money!'' Well, Windows 2008's command- 
line-only Server Core's arrived, so here's your 
opportunity. Building on his popular ''Command 
Windows from C: Level 1 ' talk, Mark Minasi walks 
you through the process of building a Server Core 
server from setup to initial configuration to full¬ 
blown DNS, Active Directory, and more. 

WWN327: WHY UPGRADE TO SERVER 2008? 
FOR THE NEW AD BENEFITS, MOSTLY 
MARK MINASI 

Why upgrade to 2008? Heck, we could just wait 
for SP1, right? Maybe not. 2003's Active Directory 

Implement role-based 
management for dramatic 
increases in manageability ,; 
security, auditability 
and compliance! 


is pretty good, but, honestly, it could be better. 
Branch office DCs are a real pain, both from a 
security and a bandwidth point of view. But 
Server 2008 offers some relief with the concept 
of a ''read-only domain controller 1 ' that flexes 
Kerberos' muscles in a way that Windows hasn't 
really before. You'll get the ability to dial in 
exactly which user accounts are stored on a 
branch office DC, as well as new encryption 
options to make it theft-proof. But that's not all- 
DCPROMO gets a facelift and, well, it needed it. 
Even better, AD actually comes with a disaster 
recovery tool... neat, eh? Come to this session 
presented by Windows expert and bestselling 
author Mark Minasi to find out whether or not 
the bundle of AD benefits might be the thing that 
sells you on 2008! 


POWERSHELL 


WP0201: MANAGING DIRECTORY 
SERVICES WITH WINDOWS POWERSHELL 
(BRING YOUR OWN LAPTOP) 

JEFF HICKS 

In this session we'll explore the different 
approaches you might need to manage directory 
services with PowerShell. Not only will we look at 
Active Directory management, but we'll also dis¬ 
cover how to manage local users and groups 
through PowerShell. Our exploration will include 
native PowerShell functionality, a smattering of 
Exchange 2007, and free third-party PowerShell 
extensions. 

WP0202: MANAGING SERVERS AND 
DESKTOPS WITH WINDOWS POWERSHELL 
AND WMI 
JEFF HICKS 

Although PowerShell is an incredibly valuable 
administrative tool, a major feature is its sup¬ 
port for Windows Management Instrumentation 
(WMI). In this session we'll review what WMI is 
and why you should care. Then we'll delve into 
the different ways you can leverage WMI in 
PowerShell to gather a great deal of system 
information and to configure and manage sys¬ 
tems as well. 

WP0101: POWERSHELL IN WINDOWS 
SERVER 2008 
JEFF HICKS 

Windows Server 2008 promises to change the 
way we manage our servers once again. 
PowerShell also will be changing the way we 
manage our servers. In this session we'll discover 
how PowerShell and Windows Server 2008 work 
together, what it takes to make them work 


together, and how you can get the most out of 
the combination to simplify your life. 


BUSINESS 


WIB201: EVERYTHING YOU NEED TO 
KNOW ABOUT STORAGE TECHNOLOGIES 
BUT WERE AFRAID TO ASK 

ALAN SUGANO 

If your company is like most companies, you are 
probably running low on disk space as storage 
hungry applications eat up disk space like contest¬ 
ants in a pie-eating contest. But what's the best 
solution for your company? With the advent of 
newer drive interface technologies like Serial 
Attached SCSI (SAS) and Serial ATA (SATA), there is 
a lot more to choose from when selecting a stor¬ 
age solution. This session will cover the storage 
basics of locally attached storage, network 
attached storage (NAS), just a bunch of disks 
(JBODs), and storage area networks (SANs), what 
they are, where they are typically used, and how 
they fit into a comprehensive storage strategy for 
your company. We'll also look at the enhancements 
to Windows Storage Server (WSS) that are sched¬ 
uled to be released with Windows Server 2008. 


DEPLOYMENT, GROUP POLICY, 
MANAGEMENT 


WID201: GROUP POLICY 2.0 PART I: 

NEW GOODIES 
JEREMY MOSKOWITZ 

What's new in Group Policy? Short answer: lots. 
With Microsoft releasing Windows Server 2008 
there are hundreds of new settings, plus the 
biggest bombshell to hit Group Policy since 
Group Policy itself: the new Group Policy 
Preference Extensions! So come hear the essen¬ 
tial ''What every admin absolutely needs to 
know 1 ' about Windows Vista and Group Policy. 
Learn why you need a Windows Vista manage¬ 
ment station. Learn how to get out of burning 
5MB per GPO on each DC. Learn about the new 
things you can do (like power management and 
USB port management)-only for Windows Vista 
clients. See the 20-odd new ''big things'' 

Microsoft has gifted every administrator. If you 
have even one Windows Vista client that you're 
going to deploy, you positively must come to this 
session to learn the ropes from Jeremy 
Moskowitz, Group Policy MVP. (Note that some 
material in this session is covered in Jeremy's 
pre-conference workshop.) 

WID302: GROUP POLICY 2.0 PART II: 
TROUBLESHOOTING 

JEREMY MOSKOWITZ 

In Part II we'll discover how the beauty of Group 
Policy changes is not skin deep. There are some 
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basic and detailed changes lying under the 
hood. And Jeremy Moskowitz of GPanswers.com 
and author of Group Policy: Management, 
Troubleshooting and Security is just the guy to 
bring it to you. In this session, you'll learn why 
you can't just run gpresult.exe any more and get 
the results you want. You'll discover what hap¬ 
pens if you reconnect to the network after a 
long absence. You'll learn how to crack open the 
new Vista event log and trace Group Policy flow 
to figure out what might be going on. You'll 
learn how other areas, like Offline Files and 
Group Policy Software Installation, can be 
tweaked to give you just the information you 
need to fix what ails you. If you're looking for 
Group Policy answers to your troubleshooting 
guestions, this is the session for you. (Note 
there is some material that is also covered in 
Jeremy's pre-conference workshop.) 


adeguate in the past, but recent emphasis has 
been placed on the speed of the recovery. 
Sarbanes-Oxley (SOX) compliance companies 
must disclose their business continuity plans and 
the company's exposure to a prolonged outage 
and how it affects financial reporting. 
Virtualization can significantly reduce the recov¬ 
ery time for a major disaster, by providing a 
warm or hot remote recovery site and accelerate 
workstation and server setup. 

WVI104: SOFTGRID 101 
JEREMY MOSKOWITZ 

Let me guess: your machines just "blow up" now 
and again. And I know why. It's because you have 
a zillion applications on them with a half a zillion 
conflicts and things just "deteriorate" over time. 
Wouldn't it be neat if you could just eliminate 
that problem altogether? Well, with Microsoft's 
newest acguisition, Softgrid, you can. It works by 
"wrapping up" your existing software into 
"sequences", and then putting them into a virtual 
sandbox. The upshot? Your applications aren't 
running "on" Windows. They're running within the 
sandbox. So, no more desktop deterioration. 
Softgrid is a big place, but come to this session 
to make sure you know the ins and outs before 
you get it in your organization! 


VIRTUALIZATION 


WVI205: INCORPORATING VIRTUALIZATION 
INTO DISASTER RECOVERY 

ALAN SUGANO 

A comprehensive Disaster Recovery Plan is some¬ 
thing that every company should have and hope¬ 
fully will never have to use. Having a plan in 
place that provided a road map to recovery was 


WVI206: VIRTUALIZE NOW! 

RICK WATSON 

This session explains virtualization concepts and 
compares various virtualization technologies. It 
explores the issues and benefits of moving pro¬ 
duction systems into a virtual environment. 
Issues: storage considerations, networking con¬ 
figuration, and system compatibility. Benefits: 
Reduces the cost of rack space and power. 
Consolidation ratios commonly exceed ten virtual 
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machines per physical server; Decreases labor 
costs by simplifying and automating IT opera¬ 
tions across disparate hardware, operating sys¬ 
tem, and software applications; Enables cost- 
effective application availability independent of 
hardware and operating systems; Enables contin¬ 
uous uptime and non-disruptive maintenance 
with live migration of entire running systems; 
Eliminates the need for repetitive software 
installation and configuration; Accelerates the 
application development and deployment lifecy¬ 
cles; Improves responsiveness with instant provi¬ 
sioning and dynamic optimization of application 
environments; and Allows legacy systems to co¬ 
exist with new environments. 

WVI207: VIRTUALIZING ACTIVE 

DIRECTORY 

RICK WATSON 

Windows Active Directory plays an important role 
in today's IT environment. In this session, learn 
how to successfully implement Windows Active 
Directory using virtualization. The session will 
demonstrate using VMware Virtual Infrastructure 
3, but the concepts and skills covered can be 
applied with other products. Topics covered: 
Guidelines for clock synchronization; Effective 
use of security roles; Placement of Flexible Single 
Master Operations (ESMO) roles and global cata¬ 
log servers; Backup techniques and disaster 
recovery options to minimize loss and downtime; 
Successfully transitioning from a physical to a 
virtualized infrastructure; and Managing network 
policies including DNS configurations. 

SESSIONS AND SPEAKERS 
ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES 
AND ADDITIONAL SESSIONS. 
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OFFICE 

SESSIONS PRESENTED BY MICROSOFT 
& CONFERENCE SESSIONS 1 Z 


MICROSOFT DAY • MONDAY, APRIL 28, 2008 • MICROSOFT DAY 


INTRODUCING THE OFFICE SECURITY GUIDE 
MICROSOFT 

In this session, learn about the new Office security guide to help you learn 
about securing the Office desktop. By attending this session, you'll get an 
overview of the guide itself, as well as helpful tips and techniques for improv¬ 
ing the security of each Office installation. Topics covered will include protec¬ 
tion of sensitive information, deployment configuration strategies, and more. 

MANAGING APPLICATION COMPATIBILITY WITH CONVERTER 

TECHNOLOGIES 

MICROSOFT 

In this session, learn how Converter Technologies can help simplify your 
deployment by helping understand and plan for application compatibility 
challenges for your deployment. We will also discuss the tools used to test 
legacy Office applications and documents for compatibility with next genera¬ 
tion Office System products. 


NEW TOOLS AND TECHNIQUES FOR DEPLOYING THE OFFICE 

2007 SYSTEM 

MICROSOFT 

The 2007 release of the Microsoft Office system offers several new tools to 
speed and simplify the client deployment process. In this session, you are intro¬ 
duced to the new Setup and Customization technologies (only one tool now 
instead of all those wizards!). This presentation offers a drill down of each tool, 
guidance for their use, and suggestions for making your deployment a success. 

OFFICE MIGRATION PLANNING MANAGER 
MICROSOFT 

Use the Office Migration Planning Manager to help assess your customer's doc¬ 
ument environment readiness for Office 2007. Topics include benefits and 
usage, scanning of documents with the provided file scanner, identifying possi¬ 
ble document conversion issues with the new Office 2007 XML formats, and 
finding documents with VBA projects and macros. We'll also cover the graphical 
Access 2007 front-end for doing SQL queries of the data collected. 


OFFICE CONNECTIONS CONFERENCE SESSIONS • APRIL 29 & 30, 2008 


WSH203: CREATING COST-EFFECTIVE 
PARTNER SITES IN WSS 
JEFF WEBB 

How to set up an Internet-facing site for collabo¬ 
rating with external partners using WSS. This ses¬ 
sion covers how to isolate and secure the server 
and set up forms-based authentication in a way 
that allows external users to manage their own 
passwords, receive e-mail alerts, and participate in 
workflows. It covers the hardware, licensing, and 
customization needs for partner sites with a focus 
on security and minimizing costs. 

WEX201: MOSS 2007/EXCHANGE 2007 
MANAGED FOLDERS 
MELISSA FRASER 

The compliancy features of Microsoft Office 
SharePoint Server 2007 are very compelling. With 
the use of MOSS 2007 and Exchange 2007 togeth¬ 
er, these compliancy features may be extended 
beyond traditional document libraries. E-mail 
messages stored on servers can also be included. 
In this session, we will discuss the ins and outs 
of including Exchange 2007 e-mail messages as 
part of records management. Session topics 
include: Planning e-mail retention policies; 
Configuring managed folders; Configuring infor¬ 
mation management policies on folders, and 
Implementing journaling. 

WSH201: SAY G'BYE TO FILE SHARES: 

21ST CENTURY COLLABORATION WITH 
WSS DOCUMENT LIBRARIES 
DAN HOLME 

It's time to start moving your shared folders to 
SharePoint. Why? Because the features that we've 
all been missing-including document metadata, 
checkout, version control, and content approval- 
are now achievable using Windows SharePoint 
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Services document libraries. Learn how to move 
forward into a new era of document management 
in this practical application of SharePoint. 

WSH202: SHAREPOINT, BUSINESS, AND 
END-USER PRODUCTIVITY: OFFICE 2007 
APPS AS SHAREPOINT CLIENTS 
DAN HOLME 

While SharePoint offers great functionality 
through its out-of-the-box Web interface, you real¬ 
ly "kick it up a notch" when you add Microsoft 
Office 2007 applications to the mix. This session, 
appropriate for IT professionals, end users, and 
managers, will highlight some of the exciting ways 
you can integrate Office apps and SharePoint, 
including document libraries, Excel and Access 
integration, slide libraries, and taking files offline 
with Outlook. You'll also learn what to expect from 
different versions of Microsoft Office clients and of 
SharePoint. And you'll discover tricks and traps 
related to configuring SharePoint, even with 
forms-based authentication, for client integration. 

WSH204: TROUBLESHOOTING 
SHAREPOINT: WHEN GOOD SERVERS 
GO BAD 
JEFF WEBB 

How to detect, isolate, debug, and fix problems 
when they occur. This session walks through com¬ 
mon issues and shows you how to run down the 
problem through the logging services that 
Windows, SharePoint, SQL, and IIS provide. It also 
covers how to fix the most common client-side 
and server-side issues and points you to resources 
to help resolve the obscure ones. 


WSH205: WSS 3.0 COMMON 
ADMINISTRATION AND CONFIGURATION 
MELISSA FRASER 

Microsoft Windows SharePoint Services 3.0 has 
many new features and enhancements that can 
help IT professionals deploy and maintain Windows 
SharePoint Services solutions. Together, these new 
features and enhancements provide IT organiza¬ 
tions with better control over the WSS solution 
and help reduce administrative overhead by allow¬ 
ing IT administrators to work more efficiently and 
effectively. In this session, we will discuss the con¬ 
figuration and management of WSS servers and 
WSS sites. Specifically we will cover: Central 
administration for operations; Central administra¬ 
tion for applications; Site collection management; 
and Site structure and feature management. 


Master the administration 
of Windows SharePoint 
Services! 
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WORKSHOPS 

PRE-CONFERENCE 



Pre- and Post-conference Sessions Boost 
Your Expertise! 

Pre-conference Workshops: 

Saturday, April 26, 2008 
Sunday, April 27, 2008 

Post-conference Workshops: 

Thursday, May 1, 2008 

Windows Connections, Office Connections and Exchange 
Connections offers additional, optional pre- and post¬ 
conference half-day sessions. Extend your educational 
experience and gain additional expertise, including fun¬ 
damentals that make the main-track sessions more rele¬ 
vant and comprehensible for newcomers. 

Pre- and post-conference session selections are 
available when you register. 

PRE-CONFERENCE DAY 1 • APRIL 26, 2008 


9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

SAY WHAT? VOICE TECHNOLOGIES FOR IT PROFESSIONALS 
(BRING YOUR OWN LAPTOP) 

VALENTINE BOIARKINE, MVP 
THOMAS FOREMAN, MVP 

Is SIP something you do to coffee? Do you think PBX is an extreme sport? 
Do hunt groups make you run for cover? This session is for IT profession¬ 
als who need to know more about voice technologies that work with 
Microsoft's Unified Communications products. Microsoft has entered the 
voice domain with Exchange Server 2007 Unified Messaging and Office 
Communications Server. As IT professionals, we need to know how to 
integrate these powerful products with existing voice technologies. This 
session will discuss voice technologies and how they integrate with UC 
products. You will perform a series of OCS labs developed by Wadeware® 
on your laptop. NOTE: The laptop you bring MUST have at least 2GB of 
memory, 15GB free disk space, DVD drive, and a headset with microphone. 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

U-FIX-IT: TROUBLESHOOTING EXCHANGE SERVER 2007 
(BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

This intensive one-day troubleshooting workshop is essential for IT and 
Exchange administrators who want hands-on experience troubleshoot¬ 
ing databases, message flow, and performance in a lab environment. 
Exchange expert and MVP Peter O'Dowd will walk you through the 
process of identifying and solving problems using a wide-range of tools 
and techniques. On your laptop, you'll perform virtual hands-on labs 
developed by Wadeware® that simulate problems, and then walk through 
the process of troubleshooting and solving them. Attend this full-day 
workshop to better understand Exchange database architecture and 
gain knowledge necessary to recover and support your Exchange Server 
2007 system. NOTE: The laptop you bring MUST have at least 2GB of 
memory, 15GB free disk space, and DVD drive. 


PRE-CONFERENCE DAY 2 • APRIL 27, 2008 


9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

WALK IN THE PARK: OFFICE COMMUNICATIONS SERVER HANDS 
ON LABS (BRING YOUR OWN LAPTOP 
VALENTINE BOIARKINE, MVP 
THOMAS FOREMAN, MVP 

Come take a six-hour guided tour of Office Communications Server (OCS) 
and see for yourself the latest Microsoft Unified Communications product. 
Much, much more than Instant Messaging, Office Communications Server 
provides text, web conferencing, and Voice over IP solutions that allow you 
to change the way your organization communicates. We'll install and config¬ 
ure OCS and show how web conferencing integrates with Microsoft Office. 
We'll show you how to configure and use Communicator Web Access, and 
how to configure Voice so that incoming calls are directed to Office 
Communicator clients (and eventually Exchange Unified Messaging if you're 
not there to answer). In this information-packed day, you'll use your laptop 
to walk through several hands-on labs developed by Wadeware® with OCS 
experts, MVP Thomas Foreman, and MVP Valentine Boiarkine. NOTE: The lap¬ 
top you bring MUST have at least 2 gig of memory, 15GB free disk space, DVD 
drive, and a headset with microphone. 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • EXCHANGE TRACK 

WALK IN THE PARK: MICROSOFT EXCHANGE 2007 HANDS-ON 
LABS (BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

Come take a six-hour guided tour of Exchange Server 2007 and see for 
yourself the next evolution of the world's most powerful messaging system. 
Experience the new Management Console, the five new server roles, e-mail 
policy enforcement and compliance, powerful new scripting tools, new 
architecture, new high availability and disaster recovery features, new mail¬ 
box features, and methods for migrating from earlier versions of Exchange. 
In this information-packed day with Exchange expert and MVP Peter 
O'Dowd, you'll get hands-on experience with Exchange Server 2007 using 
your laptop to walk through several labs developed by Wadeware®. NOTE: 
The laptop you bring MUST have at least 2GB of memory, 15GB free disk 
space, and DVD drive. 

9AM - 12PM • PRE-CONFERENCE WORKSHOP • OFFICE TRACK 

SHAREPOINT GOVERNANCE: GATHER YOUR REINS BEFORE 
JUMPING INTO THE SADDLE 
WENDY HENRY 

Don't lose control of SharePoint right out of the starting gate! Before 
unleashing the allure of SharePoint on your unsuspecting users, make sure 
you have standards in mind to control content growth, authorize access, and 
dictate site structure. My mother always said "an ounce of prevention is 
worth a pound of cure" and nothing stings as bad as a well-planned 
SharePoint design gone horribly wrong due to lack of diligence. Attend this 
pre-conference session to learn what you need to know BEFORE learning what 
you need to know about SharePoint. Orchestrate change control so that your 
company gets the most out if its SharePoint investment, in the beginning and 
into the future! 

SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
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1PM - 4PM • PRE-CONFERENCE WORKSHOP • OFFICE TRACK 

SUPPORTING SHAREPOINT DATABASES: THE DBA'S GUIDE 
WENDY HENRY 

The best laid plans of SharePoint admins can disintegrate in an instant.don't 
let this happen to you! Whether you're the DBA or the person who wants to 
communicate better with the DBA, learn how to protect your SharePoint con¬ 
figuration and content by protecting the many databases that support your 
SharePoint environment. From backing up to maintaining data source data¬ 
bases, the SharePoint Administrator's job doesn't end when SharePoint 
Central Administration closes. Attend this post-conference session to learn 
skills for maintaining SQL Server databases that house not only your 
SharePoint content but Business Data, Reporting Services, and Search 
Indexes as well. It's SharePoint.Jrom the SQL Server point of view! 

9AM - 4PM • PRE-CONFERENCE WORKSHOP • POWERSHELL TRACK 

WINDOWS POWERSHELL JUMP START 
JEFFERY HICKS 

You know PowerShell will be a part of your future, so what are you waiting 
for? This HANDS-ON workshop will give you a jump start on the road to 
PowerShell. You will learn PowerShell fundamentals, such as navigating the 
shell, working with key cmdlets, securing your PowerShell environment, writ¬ 
ing functions and filters, PowerShell scripting basics, managing the registry, 
using WMI and ADSI in PowerShell, and much more. Bring your laptop pre- 
loaded with PowerShell 1.0 and virtualization software that will allow you to 
run a Windows 2003 or later domain controller. This session will focus on 
PowerShell 1.0, which is the only version approved for production use. By the 
end of the day you'll be able to write powerful one-liners that will amaze your 
peers, dazzle your boss, and accomplish a ton of work with minimal effort. 

9AM - 12PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZATION: A JUMP START 

ALAN SUGANO 

Virtualization is one of the hot topics this year. With significant increases in 
performance of the current generation of server hardware with quad-core 
processors, high memory capacity, and Serial Attached SCSI (SAS) drives, 
much of the processing power on a server goes unused. Virtualization allows 
you to take advantage of this processing power by running several virtualized 
servers on one physical host. If you're considering virtualization and are new 
to this technology, this workshop will get you up to speed. You'll learn about 
the following topics: 

■ Virtualization hardware; server processors, memory, and hard drive con¬ 
figurations; optimization of the hardware and the virtual environment for 
the best virtual guest performance; and running the x64 platform for vir¬ 
tual hosts and guests. 

■ Virtualization software (Virtual Server 2005, VMware Server, ESX Server). 

■ Backup strategies of virtual servers. 

■ Virtualization and high availability. Learn about the high availability solu¬ 
tions from Microsoft and VMware in the virtual server environment. 

■ Virtual guest limitations and how to determine if virtualization is a good 
fit for your application. 

1PM - 4PM • PRE-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZING MICROSOFT SERVER APPLICATIONS 

ALAN SUGANO 

Virtualization is a great technology, but how does it fit in with Microsoft 
Server Applications? This workshop will focus on SQL Server, Exchange 2007, 

REGISTER TODAY ■ 800-505-1201 ■ 203-268-3204 


and WSS 3.0/MOSS 2007 in a virtual environment. Each server application has 
different needs in a virtual environment. For each server application we will 
examine the following issues: 

■ To Virtualize or not to Virtualize, this is the first question! 

■ 32- or 64-bit? 

■ Server configuration: Number of processors, type, memory, disk 
configuration, network cards, SAN type? 

■ What virtualization software should you use for your application? 

■ How do you configure guests for the best performance? 

■ How many users can you place on each virtual server? 

■ How many virtual guests can you place on a host? 

■ What are the High Availability Solutions for an environment? 

1PM -4PM • PRE-CONFERENCE WORKSHOP • WINDOWS TRACK 

GROUP POLICY ESSENTIALS: CONFIGURATION, CONTROL, 

AND SECURITY 
JEREMY MOSKOWITZ 

Group Policy is the most efficient way to manage desktops in a Windows envi¬ 
ronment. If you are still running to machines to install desktops, you are not 
taking full advantage of the power of Group Policy. In this practical workshop, 
Jeremy Moskowitz will help you gain control of your environment and get 
your life back. This is the perfect session to take before doing "deep dives" 
into the main sessions of the conference. You'll get a little bit of everything: 
deployment, configuration, control, and security! We'll warm up with some 
Group Policy basics. Then, you'll learn how to get your XP and Vista client 
machines up and running with some new set-up options. After your machines 
are up and running, Jeremy will show you how to manage your environment 
with templates, zap printers down to your computers, and remotely deploy 
software to your users' desktops. Finally, you'll learn how to use Group Policy 
to secure collections of machines. We'll examine how Group Policy can do the 
heavy lifting to the jobs you want to do! This session has both XP and Vista 
content. (Note: Expanded material on some sections can be seen in some of 
Jeremy's other talks.) 
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POST-CONFERENCE DAY • MAY 1 f 2008 


9AM - 4PM • POST-CONFERENCE WORKSHOP • WINDOWS TRACK 

THE BDD AND BEYOND: MICROSOFT DEPLOYMENT 
FRAMEWORKS FOR REAL-WORLD SUCCESS 
DAN HOLME 

Join Windows Connections speaker chair and deployment guru Dan Holme for 
a deep dive into the revolutionary new tools and technologies used to deploy 
Windows Vista, XP, and Server 2008. Learn how to implement Microsoft 
Deployment (formerly known as the BDD) and real-world best practices for 
the design, deployment, and maintenance of Windows clients. Go way beyond 
what Microsoft tells you so that you can effectively support clients with 
applications, configuration, security patches, and service pack rollouts into 
the future. You will take away a deployment and systems management 
methodology that works and a solid understanding of its functionality so that 
you can further refine the methodology to apply to your enterprise. You'll 
learn how WinPE, WDS, and Microsoft Deployment work. You'll also get a one- 
of-a-kind set of tools and scripts to help you manage systems more effective¬ 
ly with or without SMS/SCCM. This is the best deployment training in the 
world, and it's only at Windows Connections. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • EXCHANGE TRACK 

GET THE 411 ON MICROSOFT EXCHANGE UNIFIED MESSAGING 
(BRING YOUR OWN LAPTOP) 

PETER O'DOWD, MVP 

Microsoft Exchange Server 2007 Service Pack 1 extends your messaging sys¬ 
tem beyond digital data and into digital voice. This one day workshop will 
show you how your Exchange Server can become a unified communications 
system that accepts voice mail and provides users multiple ways to access it. 
Peter O'Dowd explain Unified Messaging as only Exchange and OCS MVP can, 
and then walk you through a series of hand-on labs that will demonstrate this 
powerful but little understood feature of Exchange Server 2007. NOTE: The 
laptop you bring MUST have at least 2GB of memory, 15GB free disk space, 

DVD drive, and a headset with microphone. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • EXCHANGE TRACK 

HARDCORE OCS: COMPLETE UNIFIED COMMUNICATIONS TEST 
LAB DEVELOPMENT (BRING YOUR OWN TWO LAPTOPS) 

THOMAS FOREMAN, MVP 
VALENTINE BOIARKINE, MVP 

Not for the faint of heart, in this one-day workshop you will build a complete 
Unified Communications test lab that will reveal how OCS and Exchange with 
Unified Messaging will work in your environment. You will bring two laptops 
and build a lab that includes a SIP gateway, integrated with both OCS and 
Exchange, which lets you place a call inbound to an Office Communicator 
client and leave a voice message using Exchange Unified Communications. 
Take this configuration back to your own test lab to see how OCS and 
Exchange Server 2007 will function in your unique lab environment. NOTE: 

The laptops you bring MUST have at least 2GB of memory, 15GB free disk 
space, and DVD drive, NIC, and headset with microphone. 

9AM - 4PM • POST-CONFERENCE WORKSHOP • VIRTUALIZATION TRACK 

VIRTUALIZATION HANDS ON BOOT CAMP 
RICK WATSON 

Bring your laptop to this incredible one-day session. You will be equipped to 


quickly take advantage of the free virtualization capabilities of VMware Server 
and introduce concepts of VMware Virtual Infrastructure (ESX Server based) 
virtualization. The course will also help you avoid some of the most common 
mistakes made by those new to virtualization. You will learn to: install and 
configure VMware Server; install and configure virtual machines; configure a 
Windows 2003 host for remote administration via the Web interface; and 
understand VMware Virtual Infrastructure (ESX Server based) virtualization. 
Who Should Attend? System administrators, server operators, software develop¬ 
ers and testers, and anyone else exploring server virtualization for the first time. 
Prerequisites: System administration experience on Microsoft Windows servers. 
Requirements: A laptop with at least 1GB of RAM. More detailed requirements 
will be available in early 2008. 

Highlights: downloading VMware Server; installing VMware Server; installation 
considerations; creating a Virtual Machine (VM); choosing the right VM set¬ 
tings; virtual disk, networking, and administrative options; changing, 
adding, and removing virtual hardware; installing the guest OS and VMware 
Tools; Remote Management Options and Tools; configuring Windows 2003 IIS 
for remote access; and VMware Virtual Infrastructure (ESX Server based) 
virtualization. 

9AM - 12PM • POST-CONFERENCE WORKSHOP • OFFICE TRACK 

WSS 3.0 IMPLEMENTING CUSTOM WORKFLOWS 
MELISSA FRASER 

Long gone are the days of the interoffice envelope. A major feature of WSS 
3.0 is the ability to route content through a business process. These process¬ 
es are represented by using workflows. A workflow is a natural way to organ¬ 
ize and run a set of work units, or activities, to form an executable represen¬ 
tation of a work process. The workflow functionality in Windows SharePoint 
Services 3.0 is built on the Windows Workflow Foundation (WF), a Microsoft 
Windows platform component that provides a programming infrastructure 
and tools for development and execution of workflow-based applications. In 
this session, we will build a custom workflow end-to-end. We will discuss: 

■ Planning the workflow 

■ Creating the workflow steps 

■ Workflow testing 

■ Workflow deployment 

1PM - 4PM • POST-CONFERENCE WORKSHOP • OFFICE TRACK 

MONITORING AND OPTIMIZING SHAREPOINT INDEXES AND SEARCH 
WENDY HENRY 

How do you make sure your Microsoft Office SharePoint Server investment 
pay off? By making sure your knowledge workers use it! Be certain your 
users can find the relevant information they need by providing them the 
most effective Search environment to increase their productivity. Both begin¬ 
ners and experts alike will benefit from learning how to optimize index per¬ 
formance in order to improve Search result click-through statistics, how to 
use native Search reporting to determine workload thresholds in order to 
plan for additional indexing servers, and how to utilize the many Search Web 
Parts included with MOSS to enhance the user Search interface. Attend this 
pre-conference session for a look at SharePoint Search as you've never seen 
it before, from the index out! 


SESSIONS AND SPEAKERS ARE SUBJECT TO CHANGE. 

SEE WEB SITE FOR UPDATES AND ADDITIONAL SESSIONS. 
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HOTEL ACCOMMODATIONS 

The Hyatt Regency Grand Cypress Resort, 
One Grand Cypress Blvd., Orlando, FL 
is the conference site and host hotel. 
SPACE IS LIMITED so reserve your room 
early by calling the conference hotline at 
800-505-1201. 

AIRLINE 

Please call Pericas Travel at 
203-562-6668 for airline reservations. 

CAR RENTAL 


EVENT 

INFORMATION 

HOTEL INFORMATION 


Hertz is offering auto rental discounts to 
attendees. Call the Hertz Meeting Desk at 
800-654-2240 for reservations and refer 
to code CV# 010R0034 to receive your 
attendee discount. 


ORLANDO, FLORIDA 

EXTEND YOUR STAY 


AIRPORT SHUTTLE 
Mears Transportation is the designated 
ground carrier at Orlando International 
Airport. The shuttle may be picked up 
at Level 1 of the airport. The shuttle is 
available 24 hours a day. The rates to the 
Hyatt Regency Grand Cypress hotel are 
as follows: One-way is $18.00 and $30.00 
round-trip. You may call Mears directly at 
407-843-2404 for more information or go 
to their Web site: 
www.mearstransportation.com. 

Prices are subject to change. 


Come early or stay late. Bring the family! You are in the land of 
fantasy for children of all ages. Walt Disney World - Magic 
Kingdom® Park, Disney MGM Studios®, Epcot® and Disney's 
Animal Kingdom® Theme Park. In addition, explore Kennedy 
Space Center, Sea World, and Universal Studios Theme Park, or 
take a short drive to beautiful white sand Atlantic beaches. 

TAX DEDUCTION 

Your attendance to a DevConnections conference may be tax 
deductible. Visit www.irs.ustreas.gov. Look for topic 
513 - Educational Expenses. You may be able to deduct the 
conference fee if you undertake to (1) maintain or improve skills 
reguired in your present job; (2) fulfill an employment condition 
mandated by your employer to keep your salary, status, or job. 


ATTIRE 

The recommended dress for the 
conference is casual and comfortable. 
Please bring along a sweater or jacket, 
as the ballrooms can get cool with the 
hotel's air conditioning. 


SPONSORSHIP/EXHIBIT INFORMATION 

For sponsorship information, contact: 

Rod Dunlap 

phone: 480-917-3527 

e-mail: rod@devconnections.com 

See web site for more details. www.WinConnections.com 



GROUP DISCOUNT 

Register individuals from one 
company at the same time 
and receive a group discount. 

Call 800-505-1201 to take 
advantage of group discount pricing. 

NOTES & POLICIES: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. 
Producers can substitute speakers and topics and cancel sessions without notice or obligation. Updates will be posted on 
our Web site at www.WinConnections.com. Tape recording, photography is not allowed at any session. Conference producers 
will be taking candid pictures of events and reserve the right to reproduce. By attending this conference you agree to this 
policy. You may transfer this registration to a colleague. Please inform us if you have any special needs or dietary restric¬ 
tions when you register. The conference registration includes a one-year print subscription to Windows IT Pro. Current 
subscribers will have an additional 12 issues added to their subscription. Subscriptions outside of the United States and 
Canada will be digital. $25 of the funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). 
REGISTRATION & CANCELLATION POLICY: Registrations are not confirmed until payment is received. Cancellations before 
March 27,2008 must be received in writing and will be refunded minus a $100 processing fee. After March 27,2008 cancella¬ 
tions and no shows are liable for full registration, it can be transferred to the next Connections Conference within 12 months 
or to another person. Active Directory, Microsoft, MSDN, Outlook, Windows NT, Windows Server, Windows Vista, and Windows 
are either trademarks or registered trademarks of Microsoft Corporation. All other trademarks are property of their owners. 


1-3 registrants 

$1,495 per person 

Additional registrants 
after the 3rd 

(4th, 5th, 6th...) 

$1,295 per person 

($200 off each) 














CONFERENCE REGISTRATION • APRIL 27-30, 2008 


FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON APRIL 27, 6:30PM, 
THROUGH CLOSING SESSION APRIL 30, 4:30PM 


NAME 

PRIORITY CODE 

COMPANY 

TITLE 

STREET ADDRESS (REQUIRED TO SHIP MATERIALS) 

CITY, STATE, POSTAL CODE 

COUNTRY 

TELEPHONE FAX 

E-MAIL ADDRESS (IMPORTANT) 


ONLINE 

www.WinConnections.com 

E-MAIL 

info@devconnections.com 

PHONE 

(800) 505-1201, (203) 268-3204 

FAX 

(203) 261-3884 

MAIL 

Microsoft Exchange Connections 2008 
Windows Connections 2008 
Office Connections 2008 
c/o Tech Conferences, Inc. 

731 Main Street, Suite C-3 
Monroe, CT 06468 


□ Microsoft Exchange Connections 


□ Windows Connections 


on or before March 11.$1395.00 

after March 11.$1495.00 

on or before March 11.$1395.00 

after March 11.$1495.00 


□ Office Connections 


.on or before March 11.$1395.00 

.after March 11.$1495.00 


PRE-CONFERENCE WORKSHOPS SATURDAY, APRIL 26, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 


□ 9:00AM - 4:00PM Say What? Voice Technologies for IT Professionals BOIARKINE & FOREMAN.$399 _ 

□ 9:00AM - 4:00PM U-Fix-lt: Troubleshooting Exchange Server 2007 O'DOWD.$399 _ 

PRE-CONFERENCE WORKSHOPS SUNDAY, APRIL 27, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

□ 9:00AM - 4:00PM Walk in the Park: Office Communications Server BOIARKINE & FOREMAN.$399 _ 

□ 9:00AM - 4:00PM Walk in the Park: Microsoft Exchange 2007 O'DOWD .$399 _ 

□ 9:00AM - 4:00PM Windows PowerShell Jump Start HICKS.$399 _ 

□ 9:00AM-12:00PM Virtualization: A Jump Start SUGANO.$199 _ 

□ 9:00AM - 12:00PM SharePoint Governance: Gather Your Reins BEFORE Jumping ... HENRY.$199 _ 

□ 1:00PM - 4:00PM Virtualizing Microsoft Server Applications SUGANO.$199 _ 

□ 1:00PM - 4:00PM Group Policy Essentials: Configuration, Control, and Security MOSKOWITZ.$199 _ 

□ 1:00PM - 4:00PM Supporting SharePoint Databases: The DBA's Guide HENRY.$199 _ 

POST-CONFERENCE WORKSHOPS THURSDAY, MAY 1, 2008 LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. 

□ 9:00AM - 4:00PM The BDD and Beyond: Microsoft Deployment Frameworks ... HOLME.$399 _ 

□ 9:00AM-12:00PM WSS 3.0 Implementing Custom Workflows FRASER.$199 _ 

□ 1:00PM - 4:00PM Monitoring and Optimizing SharePoint Indexes and Search HENRY.$199 _ 

□ 9:00AM - 4:00PM Get the 411 on Microsoft Exchange Unified Messaging O'DOWD .$399 _ 

□ 9:00AM - 4:00PM Hardcore OCS: Complete Unified Communications Test Lab ... FOREMAN & BOIARKINE.$999 _ 

□ 9:00AM - 4:00PM Virtualization Hands On Boot Camp WATSON.$399 _ 

CONFERENCE MATERIALS Full conference registration includes materials for the one conference for which you register. 
You may purchase materials for the other concurrently run events. 

□ Microsoft Exchange Connections Proceedings CD .$75_ 

□ Windows Connections Proceedings CD .$75_ 

□ Office Connections Proceedings CD .$75_ 



♦IMPORTANT: You must reference Microsoft Exchange Connections, Windows Connections, or Office Connections on your check. 

□ CHECK (payable to Tech Conferences) All payments must be in US Currency. Checks must be drawn on a US bank. 


□ VISA □ MASTERCARD □ AMEX 

CREDIT CARD NO. EXPIRATION DATE 


Cardholder's Signature 


Cardholder's Name (print) 





























































































EARLY BIRD BONUS! 

See Web site for details. 
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SREQUIREDREADING I Feature 


Vista and Server 2008 
Malware Protection Gems 

Use DEP and ASLR to protect yourself against buffer-overrun-based attacks 


A ttacks based on buffer overruns (aka buffer 
overflows) have been a problem for a long time 
and are still considered one of the computer 
industry's most important security problems. The first 
buffer-overrun-based attack distributed via the Inter¬ 
net, the Morris worm, did a lot of harm in 1988. The sad 
thing is that the creators of the Morris worm didn't write 
the worm to cause harm but rather as an experiment for 
measuring the size of the Internet. The Morris worm 
exploited weak passwords and known vulnerabilities 
in UNIX programs such as sendmail and Finger. Two 
recent well-known attacks that involved exploiting buf¬ 
fer overruns, the Code Red and SQL Slammer worms, 
exposed many Internet-connected systems to attackers' 
control. In 2001, the Code Red worm exploited a buffer- 
overrun vulnerability in Microsoft Internet Information 
Services (IIS) 5.0 (the IIS version that is bundled with 
Windows 2000), and in 2003, the SQL Slammer worm 
used a buffer-overrun vulnerability to compromise 
machines running Microsoft SQL Server 2000. 

You can defend against buffer-overrun-based attacks 
by using defenses that Microsoft includes in Windows 
Vista and Windows Server 2008: Data Execution Preven¬ 
tion (DEP) and Address Space Layout Randomization 
(ASLR). (At the time of this writing, Microsoft was about to 
release Vista SP1 and had released Windows Server 2008 
RC0.) I'll explain why these defenses are important and 
how you can configure them and observe their behavior. 

Understanding Buffer Overruns 

Before going into more detail on the Vista and Server 2008 
buffer-overrun defenses, it might be worthwhile to look 
at how a buffer overrun works and how it can harm your 
systems and data. 

A buffer overrun occurs when a malicious or badly 
engineered program stores data beyond the boundaries 
of a fixed-length buffer in computer memory. The result 
is that the extra "overflowing'' data overwrites adjacent 
memory locations. The data that's overwritten can 
include other buffers, variables, and program logic and 
may cause a process to crash or produce incorrect results. 
An even bigger threat is that the injected data often 
includes executable code that the program under attack 
is then lured to execute. This executable code often con¬ 
tains the real payload of a buffer-overrun-based attack. 
It's used to steal or delete data, create Denial of Service 
(DoS)-based service outages, trigger privilege elevations, 
or spread malware to other systems. 



Figure 1 gives a simple example of a buffer overrun. 
A program has defined two variables that are stored in 
adjacent memory locations. The first variable is an eight- 
byte-long string called X; the second, a two-byte integer 
called Y. Initially, X contains nothing but zero bytes, and 
Y contains the number 30. Imagine that a user (whether 
unintentionally or maliciously) inputs a character string 
OVERFLOW to this program. The program then attempts 
to store this character string in X's memory location 
followed by a 0 value to mark the end of the string. The 
program logic doesn't check the length of the string 
and partially overwrites the value of Y. The result is that, 
although the programmer didn't intend to change the 
value of Y when variable X receives input, variable Y's 
original value 30 is now replaced by the number that's 
part of the character string that was injected into the vari¬ 
able X memory location. 

Developers can prevent buffer overruns by including 
sufficient boundary checks in their program code and by 
leveraging compilers or runtime services that perform 
boundary checks. Boundary checks ensure that input 
data are of the right length. Although boundary checking 
and enforcement have become best practices for devel¬ 
opers, plenty of legacy code doesn't include boundary 
checks. Also, coding best practices are worthless if some 
programmers don't follow them. 

These reasons explain why many hardware, applica¬ 
tion, and OS software vendors including Microsoft have 
developed proactive defenses that attempt to stop buffer- 
overrun attacks in badly engineered code. Let's look at 
Microsoft's implementations of DEP and ASLR. 


Data Execution Protection 

As I mentioned above, buffer-overrun-based attacks 
often write executable malicious code to another 
program's memory buffers and then trick the pro¬ 
gram into executing the malicious payload. You can 
tackle the execution of maliciously injected code 
by using DEP. DEP lets Windows mark memory 
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locations that should only contain data as 
non-executable (NX). When an application 
attempts to execute code from NX-marked 
memory locations, Windows' DEP logic will 
block the application from doing so. 

A negative side effect of the buffer-over- 
run protection offered by DEP is that the 
blocked application will typically halt. In 
other words, even though DEP stops mal¬ 
ware from executing its malicious payload, 
this situation creates a new opportunity for 
malware to launch DoS attacks. 

Microsoft includes DEP support not only 
in Vista and Server 2008, but also in Windows 
XP SP2, Windows Server 2003 SP1, Windows 
2003 R2. Microsoft DEP implementation 
comes in two flavors: hardware-enforced 
DEP and software-enforced DEP. 

Hardware-enforced DEP. Hardware- 
enforced DEP leverages a processor feature 
that AMD refers to as the no-execute page- 
protection (NX) feature and that Intel refers 
to as the Execute Disable Bit (XD) feature. At 
the time of writing, AMD supported NX only 
on its 64-bit processors, and Intel supported 
XD only on the Itanium and EM64T 64-bit 
processors and a small number of 32-bit 
Prescott processors. Microsoft is not the only 
OS vendor that leverages the NX and XD 
processor features for stopping buffer over¬ 
runs: NX- and XD-enabled software is also 
available in other OSs such as Linux and 
UNIX BSD (see en.wikipedia.org/wiki/Nx-bit 
for more information). 

Software-enforced DEP. Software- 
enforced DEP lets Microsoft provide DEP 
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on 32-bit processor systems 
not equipped with an NX- or 
XD-compatible processor. In 
this software workaround, the 
processor-level NX- or XD-bit 
functionality is provided by a set 
of special pointers that the Win¬ 
dows OS automatically adds to 
data objects stored in the system 
memory. 

You can easily check whether 
your system supports hardware- 
or software-enforced DEP by 
checking the DEP configuration 
settings. You can access these 
settings using the Advanced Set¬ 
tings option in the System Control 
Panel applet and navigating to 
the Advanced and Performance 
Settings options. 

At the bottom of the DEP configuration 
settings screen, there's a reference to the type 
of DEP your system supports. Figure 2 shows 
the DEP configuration settings on a Vista 
system. (I'll explain the other configuration 
options later in this section) The bottom line 
reads, "Your computer's processor supports 
hardware-based DEP" 

Ifyour system supports software-enforced 
DEP (meaning that your machine doesn't 
have the NX- or XD-compatible processor), 
you'll see "Your computer's processor does 
not support hardware-based 
DEP. However, Windows 
can use DEP software to 
help prevent some types of 
attacks." 

An alternative way to 
check whether your sys¬ 
tem supports hardware- or 
software-enforced DEP is 
by using Windows Man¬ 
agement Instrumentation 
(WMI) commands. The 
procedure is outlined in the 
Microsoft article at support 
.microsoft.com/kb/912923. 

On XP SP2, Windows 
2003 SP1, and later Micro¬ 
soft OSs, DEP is enabled 
by default. However, DEP 
doesn't always protect all 
programs running on your 
system. The exact list of pro¬ 
grams that are protected by 


DEP is defined by DEP's protection level. DEP 
supports two protection levels: 

• Level 1—The first level protects only the 
Windows system code and executables 
and doesn't offer DEP protection for addi¬ 
tional Microsoft or third-party applications 
that run on your system. 

• Level 2—The second level protects all 
executable code that runs on your system; 
it offers DEP protection for both Windows 
system code and the Microsoft or third- 
party applications that run on your system. 

By default, XP SP2 and Vista run DEP at pro¬ 
tection level 1; Windows 2003 SP1 and Server 
2008 run DEP at protection level 2. 

Administrators can configure the DEP 
protection levels from the DEP configuration 
screen, which you can see in Figure 2. In this 
example (which shows the default DEP con¬ 
figuration settings on a Vista system), DEP 
is enabled for essential Windows programs 
and services only—DEP protection level 1. 
You can use the other radio button Turn on 
DEP for all programs and services except those 
I select to switch to DEP protection level 2, 
which is the default setting on Windows 2003 
SP1 and Server 2008. 

Protection level 2 lets you exempt cer¬ 
tain applications from DEP protection. This 
ability to exempt apps is important because 
some legacy applications don't run properly 
when DEP is enabled—for example, at the 
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Image Name 

Data Execution Prevention 

CPU 

Memory {. 
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WINWORD.EXE 

Disabled 


11 

34.820 


iexplore.exe 

Disabled 


00 

24.424 


POWERPNT.EXE 

Disabled 


00 

1.620 


mspaint.exe 

Enabled 


00 

13.304 


msnmsgr.exe 

Enabled 


00 

26,108 


ieuser.exe 

Enabled 


00 

6,524 


MSASCui.exe 

Enabled 


00 

1,676 


dwm.exe 

Enabled 


01 

40.252 


taskeng.exe 

Enabled 


00 

1.996 


notepad.exe 

Enabled 


00 

644 


taskmgr.exe 

Enabled 


01 

2. .300 
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AcroRd32.exe 

Enabled 


00 

98,656 


WLLoginProx... 

Enabled 


00 

1.076 


notepad.exe 

Enabled 


00 

1,128 

- 
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rrr 


fa 

► 



Show processes from all users 


Bid Process 


Processes: 78 CPU Usage: 15% 


Physical Memory: 59% 


Figure 3: 


Checking DEP status of a process from the 
Task Manager 
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Table 1: 


Boot.ini NoExecute= values and Their 
Meaning 


/NoExecute= values Meaning 


AlwaysOn 


DEP always turned on for all ser¬ 
vices and applications - grays out 
the DEP configuration screen (see 
figure 2) in the system properties 


AlwaysOff 


Completely turns off DEP 


Optln 


Turns DEP on and sets it to 
protection level I 


OptOut 


Turns DEP on and sets it to 
protection level 2 


time of writing, Microsoft Word was still 
automatically exempted from DEP. Before 
switching your DEP protection to level 2, you 
must run an application compatibility test 
to ensure that all applications run properly 
when DEP is enabled. To exempt one of 
your applications from DEP, you can add the 
application's executable to the excluded list 
in the DEP configuration screen using the 
Add... button. 

You can easily check whether a given 
application is protected by DEP by checking 
the DEP column of the application's process 
in the Windows Task Manager, which Figure 
3, page 6^ shows. If you don't see the DEP 
column on your system, you can add it using 
the Task Manager's View\Select Columns... 
option. 

Another way to exempt one of your 
applications from DEP is to create a software 
fix to distribute to your systems that auto¬ 
matically disables DEP for a given applica¬ 
tion on those systems. Microsoft refers to 
such a software fix as a DisableNX shim. To 
create this software fix, see the Microsoft 
Application Compatibility Toolkit (ACT), 
which also includes a 
tool called Compat¬ 
ibility Administrator 
that can help (technet 
.microsoft.com/en-us/ 
windowsvista/aa905 
078.aspx). 

Application devel- 
opers can also do the 
opposite — directly 
enable their applica¬ 
tions for DEP support 
in their application 
binaries. To do so, they 
use the /NXCompat 
compilation switch. 

One important 


final note is that when DEP 
is running in protection 
level 2, your system will run 
a bit slower because of all 
the extra DEP checks that are 
carried out on the processor 
and system memory level. 
That's why for test systems 
that aren't exposed to the 
Internet, for example, you 
can consider turning off DEP 
protection completely. The 
only way to turn off DEP com¬ 
pletely on a given system is to specify the 
/NoExecute=AlwaysOff switch in the system's 
bootini file. 

Note that you can also use the same 
boot.ini /NoExecute= switch with other 
values to turn DEP on and to set the DEP 
protection level. Table 1 shows all the / 
NoExecute values. 

The bootini file is available only on XP 
and Windows 2003, and you can edit it using 
Notepad or going to the Startup and Recovery 
section in System properties. 

On Vista and Server 2008, the bootini 
has been replaced by the Boot Configuration 
Data (BCD) file. To edit the BCD file, Micro¬ 
soft provides a command-line utility called 
bcdeditexe. 

When you run bcdedit without switches, 
it shows your current boot configuration. 
Figure 4 shows the result of running bcdedit 
on a Vista system. Note the last line that 
holds the nx configuration Optln. To change 
the nx configuration to alwaysoff, you would 
run the following bcdedit command: 

bcdedit /set nx alwaysoff 


The values specified in Table 1 for the 
bootini /NoExecute= switch are also avail¬ 
able for the BCD nx option. 

For more information about Microsoft 
DEP and how to configure it, consult the 
Microsoft article at support.microsoft.com/ 
kb/875352/en-us. 


Address Space Layout 
Randomization 

Another technique often used by buffer- 
overrun-based malware is to inject a system 
memory path that points to the location of 
an important system DLL into another pro¬ 
gram's buffer. The malware then tricks the 
program into calling that particular system 
file to let the malware leverage the system 
DLL's services without being detected. 

This type of buffer-overrun attack is rela¬ 
tively easy to carry out if the OS always loads 
certain system DLLs on the exact same 
memory location. On XP, for example, the 
memory locations of system DLLs are always 
identical— they vary only slightly depend¬ 
ing on the service pack status of the system. 
The new Vista and Server 2008 ASLR feature 
makes it harder for malware to leverage a 
system DLL's services by randomizing DLL's 
memory location. Unlike DEP, ASLR isn't 
available on earlier Windows versions. 

Each time a Vista and Server 2008 system 
reboots, ASLR randomly assigns system code 
(basically system DLLs and executables) to 
different memory locations. This means that 
the system code's entry points (the addresses 
the malware would use to call on the service 
of a particular piece of system code) are in 
unpredictable locations. In Vista and Server 
2008, a DLL or executable can be loaded into 
any of 256 locations. This 
means that an attacker has 
a 1/256 chance of getting 
the address right. As such, 
ASLR also makes it harder 
for hackers to write repeat- 
able code such as worms 
that target identical system 
resources on many differ¬ 
ent systems. 

You can observe the 
effect of ASLR by using 
the Syslnternals Process 
Explorer tool, which you 
can download at www 
.microsoft.com/technet/ 
sysinternals/utilities/ 
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PractH 

ElSy**? Pw*» 


p rocessexplorer.mspx. To 
use the tool, start Process 
Explorer and ensure that 
you have selected the 
Show Lower Pane option 
in the View menu. 

Then select the 
explorer.exe process in the 
upper pane and check the 
base address of the ntdll. 
dll in the base column in 
the lower pane. (If you 
don't see the base column 
you can add it by using the 
View / Select Columns... 
menu option—the Base 
column can be added 
from the DLL tab.) 

Write down the base 
address, then reboot your 
system. On an XP system, 
the base address for ntdll. 
dll remains identical after a 
system reboot (XP doesn't 
support ASLR). On a Vista 
system, the base address 
is different after a system 
reboot (because Vista sup¬ 
ports ASLR). 

Figure 5 shows the Process Explorer inter¬ 
face and the base address for the ntdll.dll 
DLL. Table 2 shows the base addresses I 
found for the ntdll.dll and user32.dll DLLs 
when running Process Explorer on an XP SP2 
system and on a Vista system. 

You can leverage ASLR not only for ran¬ 
domizing the memory locations of Windows 
system files but also for randomizing the 
memory locations of executables and DLLs 
of any application that runs on Vista or Server 
2008. To do so, application developers must 
compile their code with the /dynamicbase 
linker option. Microsoft Visual Studio sup¬ 
ports this option from Visual Studio 2005 SP 
1 and later. 

Like DEP, ASLR is not a Microsoft-only 
invention and implementation. ASLR was 
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Figure 5: 

Observing the effect of ASLR with Syslnternals Process Explorer 




implemented long before Vista and Server 
2008, on platforms such as Linux and UNIX. 
Also certain Host Intrusion Detection System 
(HIDS) solutions have been supporting ASLR 
on legacy Windows platforms long before the 
native Windows support. 

A good analysis of the Microsoft ASLR 
implementation in Vista is offered in the 
Symantec research paper at www.symantec 
.com/avcenter/reference/Address_Space_ 
Layout_Randomization.pdf. Unlike with 
DEP, Microsoft doesn't offer ASLR-specific 
configuration settings for fine-tuning the use 
of ASLR. 

Important Proactive 
Defenses 

DEP and ASLR each use a slightly different 
proactive defense approach as a buffer-over¬ 


Table 2: 

Effect of ASLR on DLL Base Addresses 

DLL 

Windows XP SP2 

Windows XP SP2 base 

Windows Vista base 

Windows Vista base 


base address 

address (after reboot) 

address 

address (after reboot) 


No ASLR 

No ASLR 

With ASLR 

With ASLR 

Ntdll.dll 

0x70900000 

0x70900000 

0x77AF0000 

0x776B0000 

User32.dll 

0x7E4l0000 

0x7E4l0000 

0x76880000 

0x76520000 


run defense. Where ASLR makes it more dif¬ 
ficult for malware to find the right code, DEP 
makes it more difficult for malware to execute 
the code once the target code is found. You 
can leverage both techniques at the same 
time and they can also be leveraged in virtual 
computing environments such as Microsoft 
Virtual PC or VMware products. 

From an application-support point ofview, 
you should remember that you must test your 
applications for DEP compatibility prior to 
deploying them on a DEP-enabled Windows 
platform. DEP can cause certain applications 
to stop working properly or even halt. 

Finally, it's important to understand that 
DEP and ASLR aren't a panacea for the 
buffer-overrun problem. Both techniques 
certainly make it much more difficult for 
malware to leverage buffer overruns. ASLR, 
for example, doesn't make it 
impossible for malware to find 
system code, but it makes the 
process of finding system code 
much more challenging. In 
many cases, ASLR and DEP 
will also effectively stop buffer- 
overrun-based attacks. ^ 
InstantDoc ID 98005 
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Q: I reinstalled Microsoft Office Outlook 2007 and I no longer see names “autofilling" when 
I type them in the To field of an email message. What's up? 

A: The feature you're asking about is called AutoComplete. It proposes names as you type 
in the To, Cc, and Bcc fields of email messages, meeting requests, assigned tasks, and share 
requests, as well as in the email field of contacts. 

A common misconception about this feature is that it "pulls" names from your contacts. 
It should pull names—but it doesn't. Microsoft, are you listening? Hello—Office 14 feature 
request! 

What it does do is suggest names based on email addresses you have typed before, whether 
those names are in your address book or not. If you reinstall Outlook, you lose that history 
(although upgrading preserves it). Here are a couple pointers about using AutoComplete: 

• If a name appears in the AutoComplete list that you don't want to appear, scroll down to 
it and press Delete. This helps to prevent you from accidentally sending an email mes¬ 
sage to someone you emailed once before. 

• The AutoComplete list is stored in a file named Outlook_profile_name.nck. So, for 
example, if my Outlook profile name is Dan, my AutoComplete list is dan.nk2. You can 
find the list stored in the Outlook folder in the local settings folder of your user profile, 
which is %userprofile%\AppData\Local\Microsoft\Outlook on Windows Vista and 
%userprofile%\Local Settings\Application Data\Microsoft\Outlook on Windows XP. You 
simply copy and paste this file to transfer it between systems. You can rename the file if 
the profile name has changed (e.g., rename Dan.nk2 as DanHolme.nk2). Logically, this 
file ought to be in the roaming portion of your user profile, though it's not. 

Q: I have a SharePoint site with forms-based authentication. When I try to do <fill in the 
blank> using an Office application, it doesn't connect correcdy. How can I make it work? 

A: I'm asked variations of this question frequently, hence <flll in the blanlo. It could be that 
you're trying to open a library in Windows Explorer, connect to a SharePoint site with Microsoft 
Office SharePoint Designer 2007, export to Microsoft Excel, connect to a list with Microsoft 
Access, or complete another task. Whatever it is you're trying to do, when you use forms-based 
authentication, you must select the Sign me in automatically checkbox, and Microsoft Internet 
Explorer (IE) must remain open. Your Office application (i.e., SharePoint, Access, Excel) will 
ride on the authentication you've created. 

Technically, what happens is that your forms-based authentication creates a persistent 
cookie, which client applications can use. If you don't select Sign me in automatically, or if 
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persistent cookies aren't allowed in your 
environment, client integration will fail. 

Here are two other important tips regard¬ 
ing forms-based authentication: 

• The persistent cookie expires. So 
"sign me in automatically" is a bit of a 
misnomer—by default, it signs you in 
for 30 minutes. To change the timeout 
value, you must change or add a timeout 
attribute with a timeout value expressed 
in minutes. You add this to the forms 
element in the Web.config file for the 
application. For example, to change the 
timeout to two hours, type 

<forms LoginUrl="login.aspx" 
name=".ASPXFORMSAUTH" 
timeout= ,, 120" /> 

where “120” is the timeout value of two 
hours, expressed in minutes. (The previous 
entry wraps to several lines because of space 
constraints here; you should type it on one 
line in the file.) 

• You must have client integration enabled 
for the SharePoint application. In Share- 
Point Central Administration, open the 
settings for the application's authentica¬ 
tion provider and select Yes in the Enable 
client integration section. 

Q: How can I remove duplicates from an 
Excel database? 

A: Luckily, Microsoft Office Excel 2007 made 
it significantly easier to remove duplicates 
from a database. Simply select any cell in 
your data table and click the Remove Dupli¬ 
cates button on the Data tab of the Ribbon. 
You'll be prompted to choose the columns 
to analyze for duplicates. If two or more rows 
contain the exact same data in the selected 
column or columns, the duplicate rows will 
be deleted, leaving only one row with that 
data. Easy, huh? 

Keep in mind that Excel can open many 
common data file formats, such as .csv and 
.txt files, for delimited data. So 
if you have duplicate data in 
another application that doesn't 
support duplicate purging, you 
can export to Excel, remove 
duplicates in Excel, then export 
back to the original database. 

Q: Where are SharePoint docu¬ 
ments stored on the server? 
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What are the options for backing up and 
restoring SharePoint documents? 

A: All SharePoint content is stored in a Micro¬ 
soft SQL Server database. There are several 
options for backup and restore that enable 
SharePoint to support document storage 
more effectively than traditional file shares. 

Recycle Bin. Users have access to items 
(to which they have permissions) in the 
Recycle Bin for the site. If they delete some¬ 
thing, they can restore it right away. You 
configure Recycle Bin settings for the site's 
Web application through Central Adminis¬ 
tration, where you specify the Recycle Bin's 
size and how long an item will remain in the 
site Recycle Bin before being removed. 

Second-stage Recycle Bin. Windows 
SharePoint Services 3.0 and Microsoft Office 
SharePoint Server 2007 have a second-stage 
Recycle Bin at the site-collection level. When 
an item is removed from a site's Recycle Bin 
based on the time configuration mentioned 
previously, the item is placed in the second- 
stage Recycle Bin. An administrator can 
recover items from there by navigating to the 
Site Settings for the top-level site in the site 
collection and clicking the Recycle Bin link. 
The size of this Recycle Bin is configured, 
also in the Web application settings, as a 
percentage of the size of a site's Recycle Bin. 
If the second-stage Recycle Bin fills, the items 
placed in the Recycle Bin first are removed to 
make room for new items. 

Versioning. SharePoint Server 2007 lets 
you view the version history of an item or file. 
This is useful when users damage files with¬ 
out actually deleting them, such as erasing a 
file's contents or overwriting a good file with 
a bad file of the same name. If your document 
library has versioning enabled, you can sim¬ 
ply go to the document's Version History and 
recover the "good" version. 

Content database. Each Windows Share- 
Point Services site collection is stored in a 
content database, which is the actual SQL 


Server database. The content database can be 
recovered in the event of corruption by using 
transaction logs, or it can be restored using 
either SQL Server recovery methods or the 
restore functionality within SharePoint Cen¬ 
tral Administration. Of course, that assumes 
you have a good backup plan for your Share- 
Point databases, which is paramount. 

Third-party add-ons. Third-party ISVs 
offer item-level recovery solutions, which 
enable SharePoint administrators to restore 
granular items from backup. Tools include 
Quest Software's Recovery Manager for Share- 
Point, AvePoint's DocAve, and IBM's Tivoli 
Storage Manager for Microsoft SharePoint. 

Q: When I travel to another time zone and 
look at Calendar in Microsoft Outlook Web 
Access (OWA) in Exchange Server 2003, 
it shifts all my appointments to match the 
time zone I traveled to. How can I see my 
appointments in my "home" time zone? 

A: Good question! In OWA, in Options, 
there's a time zone setting, Current Time 
Zone, which Figure 1 shows. Changing it, 
though, doesn't change the time in which 
appointments are displayed. In fact, I can't 
see what this setting does change. Instead, as 
you experienced, OWA uses the time zone on 
the client (the Windows time zone) to display 
calendar items. 

However, if you use the basic OWA client 
(instead of logging on to the premium client) 
this setting does work. OWA 2007 in Exchange 
Server 2007 seems to have solved the prob¬ 
lem, and your calendar entries should reflect 
the time zone option that you configured. ^ 
InstantDoc I D 96106 
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SharePoint, Office, Windows, and Active Directory 
implementations. 


Inbeur 

1 (hale and 1 tnne ferntata 

■j Lalondar 

1 -■ Short Date Style-: 

UlfSXt? t2fc]/2007 

% , LenLcKto 

Lcnj Pan sty*: 

1SS7 inrr » 3 r Dtrartar i 7,~iw 7 T 

l£| T*<fcS. 


t;G] AM-]]-59PM * 

Pubbt ¥ aide r5 

^[^"&rrmt Tine lone 



rAl^iidar DptkM* 


Upturn* 

» Week Perris on: 

indair * 
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Outlook Web Access 
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Microsoft Management Summit 2008 



April 28-May 2, 2008 | Las Vegas, Nevada 


The Microsoft Management Summit 
2008 (MMS 2008) provides a unique 
opportunity to learn about the 
latest IT management solutions 
from Microsoft and partners. 


In the past year Microsoft has released 
a broad range of new management 
products and technologies, including 
seven new product updates within the 
System Center suite alone. MMS 2008 
provides the best way to learn how to 
apply these solutions to the business 
goals of your organization, fueling 
productivity and building growth. With 
sessions by technical experts, hands on 
labs to try out the new products and 
the opportunity to meet with leading 
Industry experts and peers, MMS 2008 
remains the premiere technical event 
of the year for IT professionals. 


Register today at: 

www.mms-2008.com 


INTEGRATE 


Microsoft® 


System Center 




Did You Know... 

Along with windowsitpro.com and splmag.com two new sites 
have boon launched to ensure custom-made content is just a click away. 


Office & 

PRO 

Fafmerfy MSD2D.m m 

.com 


windowsdev pro.com 


Microsoft Office and SharePoint content mentored by 
a community of peers and professionals. 
www.officesharepointpro.com 


A community addressing the need of content for the 
developer who needs to create with the IT administrator in mind. 
www.windowsdevpro.com 


Engage with our network of peers and professionals and view various forms of content. 
It is a complete source for IT Professionals and managers. 
www.windowsitpro.com 



For information on managing, mining, building and developing world-class applications. 

www.sqlmag.com 













Tricks & Traps - Ask the Experts 


Q What's new in Windows Live 
OneCare 2.0? 

A: Live OneCare 2.0 introduces 
welcome support for the 64-bit 
versions of Windows Vista and 
Windows XP. This version also 
adds more PC health and mainte¬ 
nance functionality, including: 

• The ability to specify a hub PC 
and manage other PCs centrally 
via a common Live ID 

• Wi-Fi connection security assis¬ 
tance for providing a protected 
wireless experience 

• The ability to back up photos 
and other information to online 
resources 

• Printer sharing support 

• System startup optimizer 

• Proactive fix and recommenda¬ 
tion advice to keep PCs healthy 

• Monthly reports of usage on as 
many as three PCs on the same 
home network 

InstantDoc I D 97940 

—John Savill 

Q What's the Microsoft Update 
Catalog 7.0? 

A" Microsoft has released a new 
version of its catalog Web site, 
which lists updates, drivers, and 
hotfixes that you can download 
fro m update.microsoft.com for 
local installation. The catalog is 
available at catalog.update.micro 
soft.com/v7/site/Home.aspx. 

To use the site, enter a term 
in the search box on the main 
page (e.g., vista 64-bit driver) and 
click Search. A list of all matching 


r At a Glance 

Keeping your system secure 


with Live OneCare 2.0 

75 

Learning about Microsoft 


Update Catalog 7.0 

75 

Clearing the Outlook auto- 


complete address cache 

75 

Granting users permission to 


add/remove themselves from 


a distribution group 

75 

L._ 

J 



How can I clear the Microsoft 
Office Outlook auto-complete 
address cache? 

Outlook has an auto-complete cache to help fill in recipient 
information when adding recipients. If you want to delete this 
auto-fill cache, you can delete individual items or the entire 
cache. You remove individual items by typing an address on 
the To line of an email, and when the auto-fill suggestion is 
displayed, press the Delete key. To delete the entire cache, 
stop Outlook, navigate to the %APPDATA%\Microsoft\Out- 
look folder (type this in Explorer address bar), and delete the 
0utlook.NK2 file. Restart Outlook. 

InstantDoc ID 97941 

—John Savill 


updates will be displayed. Click 
Add next to each update you want 
to download, which adds the 
update to the update basket. 

You can perform multiple 
searches and add more updates 
to the basket. After all the desired 
updates are in the basket, click 
the view basket link under the 
search box, which displays all the 
updates in the update basket, as 
Figure 1 shows. 

Click the Download but¬ 
ton, and you'll be prompted 
to confirm a folder to which to 
download the updates, then click 
Continue. After the download 
is complete, click Close in the 
download window. 

Each update is placed in a sep¬ 
arate subfolder in the destination 
folder, and each subfolder has the 
same name as the update title. 

You can then manually install the 
updates by double-clicking them, 


or you can inject them into a Win¬ 
dows Imaging Format (WIM) file. 

InstantDoc I D 97939 

—John Savill 

Q" How do I give people permis¬ 
sion to add or remove them¬ 
selves but not others from a 
distribution group? 

A The Self security principle is 
a useful tool for working with 
groups. Open the Active Directory 
Users and Computers Microsoft 
Management Console (MMC) 
snap-in and enable Advanced 
Features (View, Advanced Fea¬ 
tures). On the Security tab, select 
the Self principal and click Add/ 
Remove self as member, which will 
allow users to add and remove 
themselves from the group but 
not affect anyone else. ^ 

InstantDoc ID 97942 
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Figure 1: Viewing the Update Catalog basket 
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Decommission Old Computers with Cipher 

Encryption isn’t the tool’s only capability 



Mark Minasi 

(www.minasi.com/ 
gethelp) is a senior 
contributing editor for 
Windows IT Pro, an 
MCSE, and the author 
of 25 books, including 
Administering Windows 
Vista Security: The Big 
Surprises (Sybex). 

He writes and speaks 
around the world about 
Windows networking. 


DkiYou o 

Know. 


You can meet Mark Minasi 
at the upcoming Windows 
Connections 2008 
conference in Orlando, 
Florida, April 27-30. For 
more information, visit 
www.winconnections.com. 


F or the past two months, we've been tinkering 
with Cipher (cipher.exe), the Windows com¬ 
mand-line tool for controlling Encrypting File 
System (EFS). The bulk of EFS's job is to encrypt data 
files and manage the keys it uses for that encryption, as 
I demonstrated with the previous two column's looks at 
the tool's /e, /d, /r, and other options. But Cipher offers 
other cool functionality, not least of which is its ability— 
with its /w option—to simplify the decommissioning of 
old systems. 

Disk Decommissioning 

What do you do with old computers—sell them or 
donate them to a charity? The answer to that question is 
important because those old systems probably contain 
one or more hard disks that contain all sorts of confi¬ 
dential information. I always wince when I see someone 
selling an old laptop or desktop computer because I'm 
almost certain the seller hasn't removed his or her per¬ 
sonal data from the system's hard disk. Perhaps the seller 
has formatted the disk, but there are so many tools on 
the market for restoring data from formatted disks that 
I wonder how many people have been embarrassed 
after selling a computer. A few times, I've purchased 
used computers and discovered personal-finance files, 
old email messages—you name it, all recovered without 
any genius. 

So, before letting go of a computer, you need to 
ensure that its data won't fall into the wrong hands. One 
solution is to get rid of the computer but keep the hard 
disk, but then we're back to the question, "How do I get 
rid of the data on the disk?" Some people use old hard 
disks for target practice, which is fine if you live near a 
rifle range. I've seen an amazing US Army machine that 
shreds hard disks, but unfortunately I can't afford a toy 
like that. The best solution is to overwrite every sector 
on the disk with random patterns, and—according to 
some—repeat that several times. One erasure might not 
entirely overwrite a magnetic area. (Having said that, 
I'm not aware of an off-the-shelf hardware or software 
solution that can reliably read a hard disk that's been 
overwritten once.) 

Cipher’s Solution 

Cipher offers a method for erasing a hard disk so that 
you can feel fairly secure that none but the most tech¬ 
nologically savvy bad guys can get to its erstwhile data. 
You perform the process in two steps. First, format the 
target disk. The easiest format procedure is probably to 
put the disk in a USB-compatible external hard-drive 
enclosure, then connect it to your new computer. Then, 
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once you've emptied the disk, open a command prompt 
(I'm assuming your new computer is running at least 
Windows XP) and type 

cipher /w:<d:> 

where d: is the drive letter of the disk you're decommis¬ 
sioning. Cipher /w will overwrite all unused sectors on 
the disk with zeroes, then ones, and finally a random 
number. The key to understanding the process is the 
phrase "unused sectors." If you don't first format the disk, 
Cipher won't touch the sectors that contain your data! 

You might be wondering why you need to go through 
the whole process of connecting the soon-to-be-de- 

I’ve purchased 
used computers and 
discovered personal- 
finance files, old email 
messages—you name it. 


commissioned drive to a working system rather than, 
say, booting Windows Preinstallation Environment (PE) 
and running Cipher from Vista. I tried that latter solution 
with no success. Apparently, Windows PE lacks the suite 
of cryptographic support routines that Vista contains. 
Oh, and don't expect to get Cipher's overwrite process 
done quickly. In my experience, Cipher requires a min¬ 
ute or two per gigabyte. Start the encryption at night, 
and your disk will be clean as a whistle by the time you 
wake. 


Don’t Worry 

On a final note, let me save you some time and aggra¬ 
vation. When you make it known that you plan to use 
Cipher /wto decommission a drive, someone—inevita¬ 
bly a security guy—will no doubt claim that overwriting 
a drive a mere three times is insufficient to truly protect 
that drive from a determined hacker. Now, I freely admit 
to being a card-carrying security guy, but some of my 
compatriots seem more interested in worrying people 
than truly analyzing a security situation. Could the 
NSA or CIA retrieve data that has been overwritten 
only three times? Yes, those agencies probably could. 
But as long as you're not a member of A1 Qaeda, you 
can surely rest easy after accomplishing a "mere" three 
overwrites. ▼ 
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Top 10 


Free Virtualization Utilities 

These tools will help you develop and manage your virtual environments 


W ith virtualization technology making deep 
inroads into almost every aspect of IT, 
assembling your virtualization toolkit can 
really help you be prepared to deal with the wide variety 
of situations that you're likely to encounter. For instance, 
what do you do if you want to convert a virtual machine 
(VM) from Microsoft Virtual Server 2005 R2 to VMware? 
Or what if you've created a Microsoft Virtual Hard Disk 
(VHD) image, but it's run out of space and needs to be 
expanded? I've come up with a list of some of my favorite 
free virtualization tools for working with Microsoft or 
VMware VMs that can solve these problems and more. 

Ultimate-P2V—Converting physical sys¬ 
tems to VMs is one of the most common 
virtualization tasks. The Ultimate-P2V 
utility is essentially a plug-in for BartPE 
that creates new boot VM images by ghosting the physical 
image and then injecting drivers into a VMware VM image. 
This utility is far simpler to use than a tool such as Microsoft 
Virtual Server Migration Toolkit (VSMT), but it requires 
another third-party tool—Symantec Ghost or Acronis Tme 
Image, for instance—to create the disk image. You can find 
Ultimate-P2V at www.rtfm-ed.co.uk/7page_kHl74. 


6 VMDK to VHD Converter—If you're looking 
for a tool that can convert the other way—from 
VMware to Microsoft images—then you'll want 
to check out vmToolkit's VMDK to VHD Con¬ 
verter. Because most free tools seem oriented toward 
making VMware images, this is a welcome addition if you 
need to deal with both VMware and Microsoft VMs. You'll 
find the VMDK to VHD converter at vmtoolkit.com/files/ 
folders/converters/entry8.aspx. 


VMware Workstation 5.5 Disk Mount Utility— 

This utility lets you mount a VMware virtual 
hard disk file (.vmdk) on a Windows host. The 
virtual hard disk file is mounted as a drive, and 
you can read from and write to the .vmdk file. You can get 
VMware Workstation 5.5 Disk Mount Utility from www 
.vmware.com/download/eula/diskmount_ws_v55.html. 

4 Virtual Server 2005 R2 SPl's VHDMount— 

VHDMount is Microsoft's answer to VMware's 
Disk Mount Utility. VHDMount is a command¬ 
line tool that lets you mount a VHD file (.vhd) as 
a local drive. VHDMount is included as part of Microsoft 
Virtual Server 2005 R2 SP1 (which is itself free). 





Michael Otey 

(mikeo@windowsitpro 
.com) is technical 

director for Windows IT 
Pro and SQL Server 
Magazine and coauthor 
of SQL Server2005 
Developer’s Guide 
(Osborne/McGraw-Hill). 


9 Virtual Floppy Drive—Virtual Floppy Drive 
is another helpful tool; it lets you mount a vir¬ 
tual floppy drive from a VM. Creating a set of 
virtual floppy drives can be handy for loading 
storage drivers and other software for your VMs. Virtual 
Floppy Drive can be found at chitchat.at.infoseek.co.jp/ 
vmware/vfd.html. 


3 VHD Resizer—Expanding an existing virtual 
hard drive has always been a problem for both 
Microsoft and VMware VMs. VHD Resizer can 
expand and shrink Microsoft's VHD files. It's 
also able to convert between Fixed and Dynamic file types. 
VHD Resizer is found at vmtoolkit.com/files/folders/ 
converters/entry87.aspx. 


8 ISO Recorder—ISO Recorder is my favorite free 
utility for working with ISO images, and ISO 
images are really handy for installing the OS and 
other software on a VM. ISO Recorder integrates 
into Windows Explorer's context menu, and it lets you 
create ISO images and bum ISO images to CD-ROM or 
DVD. You can download ISO Recorder from isorecorder 
.alexfeinman.com/isorecorder.htm. 


7 VMware Converter—This is my favorite conver¬ 
sion tool for VMware. VMware Converter is an 
easy-to-use, wizard-based tool that can convert 
either physical machines or Microsoft VMs to 
VMware VMs. VMware Converter works with Windows 
Server 2003 (32-bit and 64-bit), Windows XP (32-bit 
and 64-bit), Windows 2000, and Windows NT 4 (SP4 or 
later). You can download VMware Converter fro m www 
.vmware.com/products/converter. 


2 VMmark—Does it seem like VMware has too 
many entries in this list? It's no wonder they're 
the market leader in virtualization. VMmark 
is another powerful and free tool; this one lets 
you benchmark applications running in VMware VMs. 
You can find VMmark at www.vmware.com/products/ 
vmmark. 



Virtual Machine Remote Control Client Plus—VMRC- 
plus lets you manage, configure, and connect to Micro¬ 
soft VMs. Unlike Virtual Server, VMRCplus doesn't 
require Microsoft IIS. VMRCplus can manage up to 
32 VMs. You can download the Microsoft VMRCplus 
client from www.microsoft.com/downloads/details 
.aspx?FamilyID=80adc08c-bfc6-4c3a-b4fl -772f550ae791. 
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What’s Hot 


Jeff James (ii ames@windowsitpro.com) 

is senior editor, products, for Windows IT Pro and SQL Server Magazine. 



Reader: 

Dennis Podgorski 
IT Manager 

Product: 

AppDev Microsoft 
SQL Server 2005 
and Java Training 
Programs 

Company: 

AppDev 

Contact: 

www.appdev.com 


I use SQL Server 2005 at work, 
and I wanted to keep my skills 
updated, but without having 
to travel or leave my job to do so. My 
company will soon be upgrading a 
membership management system 
that is based on SQL Server, and 
we're also planning to move from 
Crystal Reports to SQL Reporting 
Services in the near future. I also 
wanted to learn how to program in 
Java, mainly to understand and cus¬ 
tomize the Alfresco Content Man¬ 
agement system and the Zimbra Collaboration Suite (open source 
edition). 

I first heard about AppDev and their Microsoft SQL Server 2005 
and Java training programs either from a direct mail piece, or per¬ 
haps from seeing an AppDev ad in Windows IT Pro. I checked out the 
AppDev Web site, and saw that AppDev's training products weren't 
that expensive, and I liked that I could sample the products before 
purchasing. I considered attending an offsite training program as 
an alternative to AppDev's training products, but that just wasn't an 
option in our small work environment. 

The AppDev CDs are well organized and I was able 
to get to sections I needed quickly. I also liked being able 
to refresh my understanding of complicated topics by 


—Dennis Podgorski, IT manager 


watching the relevant sessions again if I needed to. After using both 
the SQL Server 2005 and Java training programs, I managed to learn 
what I needed to—all without having to be away from office, and it 
didn't cost me my entire training budget to do it. 

There are some things that AppDev could improve upon. I'd like 
to see them adopt a monthly (or yearly) subscription program, where 
I could just learn the latest and greatest information without having 
to buy another training program, possibly similar to the way that the 
Lynda.com training site does. I'd imagine that a subscription would 
be cheaper in the long run as well. I did lose my installation key at one 
point, but my AppDev account rep quickly provided it to me without 
any questions or complaints. 


What’s Hot continues on page 79 


Java Training CDs 


Readers Review 
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and Java Training CDs.78 

Unitrends Data Protection Unit and 

Data Protection Vault .79 _ 

Ensim Unify Enterprise 

Edition 1.5.84 _ 

■■■Ml 


IT Training Resources 

AppDev Microsoft SQL Server 2005 and 



Wanted: Your Real-World Experiences with Products 

Have you discovered a great product that saves you time and money? Do you use something you wouldn’t wish on 
anyone? Tell the world in a review right here in What’s Hot: Readers Review Hot Products. If we publish your opin¬ 
ion, we’ll send you a Best Buy gift card and a free online subscription to a ProVIP publication of your choice! Send 
information about a product you use and whether it helps you or hinders you to whatshot@windowsitpro.com. 
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What’s Hot 


Disaster Recovery Tools 

Unitrends Data Protection Unit and Data Protection Vault 


O ur company was looking for a 
more reliable disaster recov¬ 
ery tool, since our existing 
tape backup solution was inefficient, 
and our backups couldn't be validated. 

We also were worried about files being 
lost due to system errors or natural 
disasters. Our customers need access to 
documents quickly, whether they need 
the files for auditing, compliance or 
other business use. Tape couldn't pro¬ 
vide the time to recovery our customers 
needed, so it was time to start thinking 
about disk-based backup solutions. 

After investigating several other disk-based backup options, we 
decided on a Unitrends Data Protection Unit (DPU). The Unitrends 
architecture ensures that data never leaves the backup environment, 
and the Unitrends management GUI simplifies the backup pro¬ 
cess. For added disaster recovery protection, we also decided 
to go with a Unitrends Data Protection Vault (DPV), which 


Reader: 

Cameron Sauce 
Operations Manager 

Product: 

Unitrends Data 
Protection Unit and 
Data Protection 
Vault 

Company: 

Unitrends 

Contact: 

www.unitrends.com 


allowed us to replicate data to a climate-controlled, fire-proof vault 
that is stored off-site. The DPV is protected by surveillance and secu¬ 
rity software, and has its own generators in case of a power outage. 

We've found that the Unitrends backup solution is well-suited to 
our business model. It enables our new disaster recovery service, and 
protects our customers' business documents. It has added value to 
what we're able to offer, improves our customer service and helps us 
position our company as a trusted technology advisor. 

We haven't had many issues with the Unitrends DPU, although 
we've occasionally experienced a failed backup or a scheduling 
issue, probably due to a job purging process not completing. These 
issues are likely due to the storage capacity of the DPU unit itself— 
we've outgrown the available space on the unit. 

We were impressed with the Unitrends product and realized that 
we could market a new service to our customers. It's not often that 
a company's disaster recovery solution contributes to revenue, but 
that's exactly what Unitrends did for us. 
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10 Million 


Looking for 
a domain? 




domain 


We have already registered 10 million domains. Look 
below to find out why you should choose 1&1 today! 



Best price! 

With l&l's all inclusive pricing, you always know exactly what you 
are going to pay, and you will always find the best price. We don't 
waste money on high overhead costs or on tasteless commercials. 

No catch! 

We treat you fairly: The price we advertise is the price you pay for 
a domain registration. No set up fee and no additional costs. Ever. 

Maximum freedom! 

Your 1&1 domain belongs to you as long as you're with us. You can use 
it to set up an e-mail account or for your website. You can even use 
a different web host without any restrictions. Reserve your name now 
and get started on the web when you're ready. 

Peace of mind! 

Protect your contact information from spammers! Your privacy 
is important. That's why, unlike other domain companies, we offer 
Private Domain Registration free of charge. 

Switch and save! 

You already have a domain? 1&1 does not charge transfer costs 
and you can save immediately with the industry's best prices. If you 
want to save more, upgrade your domain to a hosting package and 
take advantage of our great prices. (See next page!) 


Call 1.877.go1and1 


united 

internet; 






Domains 


of-your-choice.cotn 





Yahoo Go Daddy 


■COITI .net 
.us|.info|.name 

Private Domain 
Registration* 



Free with all 1&1 domain accounts: 


/ Private Registration' / 2,000 MB E-Mail Account 
/ Search Engine Tools / 24/7 Support 
/ Domain Forwarding / Starter Website 
✓ DNS Management 


© 2008 1&1 Internet, Inc. All rights reserved. All quoted prices are based on standard pricing as of 1/31/08 for a one-year registration of a single 
domain. Product and program specifications, availability, and pricing are subject to change without notice. Visit landl .com for details. Go Daddy 
is a registered trademark of Go Daddy Software, Inc.; Yahoo! is a registered trademark of Yahoo! Inc. 

* .us Domains are not eligible for private registration 



Visit us now 1and1.com 


























Need a Web Host, too? 
1&1 - One stop for your 


Domai 
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We currently host over 5 million websites. Join 


1&1 Hosting 

ALWAYS 

includes 
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FREE 



FREE domains! 


If you already have a 1&1 domain and choose to upgrade to a web 


DOMAINS/ 


hosting package you will no longer be billed for your domain. Sign up for 
one of our Web Hosting packages and receive up to 5 domain names FREE! 


It's easy to get on the web! 


A website is the easiest and most affordable way to communicate your ideas, 
products and information. When combined with your domain name, your 
website becomes a business card for the virtual world or a full-color brochure. 


1&1 WebsiteBuilder 


Included with all web hosting plans, 1&1 WebsiteBuilder lets you design 
a professional-looking website with no HTML knowledge! Using simple point- 
and-click prompts and a built-in text editor, your site can be online in minutes. 
Creating your website has never been easier. 


All Inclusive for All Levels! 
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1&1 gives you a choice between Linux or Microsoft web hosting at unbeatable 
prices! Our hosting packages are easy enough for any beginner, yet powerful 
enough for the most demanding developer. 
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1&1 Home Package 

3 months 
FREE!* 







Web.com Hostway 



Included Domains 

Web Space 

Monthly Transfer Volume 

E-mail Accounts 

Mailbox Size 

Search Engine Submission 

Website Builder 

Photo Gallery 

RSS Feed Creator 

Ad-free Blog 

Dynamic Web Content 

Web Statistics 

Starter Software Suite 

90-Day Money Back Guarantee 

Support 


1,200 GB 

1,200 IMAP or POP3 
2,000 MB 
/ 

12 Pages 


24/7 Toll-free Phone, 
E-mail 




Monthly Cost 





DIY 

GOLD 

1 

- 

5 GB 

12GB 

20 GB 

250 GB 

30 POP3 

250 POP3 

300 MB 

79 MB 

Extra charge applies 

/ 

/ 

/ 

/ 

/ 

/ 

— 

/ 

/ 

/ 

— 

/ 

/ 
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— 

— 

24/7 Toll-free Phone, 
E-mail 

24/7 Toll-free Phone, 
E-mail 

iff 95 

$ 13 9S 


© 2008 1&1 Internet, Inc. All rights reserved. 

*Visit 1and1.com for details. Prices based on comparable Linux web hosting 
package prices, effective 1/28/2008.Offer valid for Home Package only, 12 
month minimum contract term required. Product and program specifications, 
availability, and pricing subject to change without notice. All other trademarks 
are the property of their respective owners. 



Visit us now 1and1.com 


























































What’s Hot 


Active Directory Management 

Ensim Unify Enterprise Edition 1.5 


Reader: 
Francis Marquez 
IT Support 
Specialist 

Product: 

Ensim Unify 
Enterprise Edition 
1.5 

Company: 

Ensim 

Contact: 

www.ensim.com 


O 


ur IT department had been 
looking for an application 
that would simplify Active 
Directory (AD) management—ideally 
through a central Web-based manage¬ 
ment console—and we began search¬ 
ing for a solution that could do what we 
need. I came across a magazine adver¬ 
tisement for Ensim Unify Enterprise 
Edition 1.5, and we decided to give the 
product a try. 

Installation of Ensim Unify was very 
easy and straightforward: By far, it fea¬ 
tured one of the easiest and smoothest 
installation processes I've seen when installing to a server OS. We 
immediately put Ensim Unify to work, and several features stood out 
for us as being the most significant. 

It's very easy to create new AD users thanks to the User Template 
function, and the distribution list management feature has been very 
useful. Ensim Unify also offers extensive security group management 
as well. After we installed and launched the software, a single mouse- 
click populated all of our security groups into a very user-friendly, 
very readable format. 

My only gripes with the product deal more with the licensing 
structure than the product itself. For example, I was unable to get 
the activation tool to communicate with their licensing server. The 
end result was to make an exception in our firewall specifically to a 
certain port and IP specific rule. It would also be nice if the program 
could populate the distribution lists for Exchange in the same way 
that it does for the AD security groups, but that may be more of a 
Windows shortcoming than something that Ensim Unify could do. 


"Ensim Unify 

also offers jk 

extensive 

security 

group 

management 
as well. After 
we installed and launched 
the software, a single 
mouse-click populated all 
of our security groups into 
a very user-friendly very 
readable format.” 


—Francis Marquez, IT support specialist 



I've also found that the Ensim support staff and sales team are some 
of the nicest and most courteous people I've come across in this 
industry—they've been very helpful and knowledgeable. ^ 


InstantDoc ID 98120 


Automation & Management Software 
for Exchange, AD, Mobility, & Migration 




Provisioning Automation 
Self-service Password Reset 
One-click Migration 
Delegated Administration 



of CONNECTIONS 



GET.ENSIM.COM 


1 -888-248-4003 
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Distributed IT Equipment 
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IT support at branch offices typically doesn't justify 
a dedicated on-site person. But when issues arise, 
quick response is still necessary. Unfortunately, most 
remote management equipment is overkill and 
designed for the high-density data center. 


The Lantronix Branch Office Solution Kit 
is a total remote management system for smaller 
sites and distributed IT assets! 

SacuraUnx" SLG SecureLinx SpEtar' 


Great first-time buyer 
discounts available! 

( 800 ) 422-7055 


• Remotely manage servers, routers, telecom, 

etc. over IP; SSH/SSLsecurity 

• Remotely manage power to IT equipment over IP 

• Includes a built-in 8-port Ethernet switch 


* KVM-over-IP-non-blocked, BIOS-level 

access to servers 

* Server-powered, zero-U design 

* Browser based - no client software or licensing 


iMJMSS 'IS nl kfed 

I irnhwm I 


©2008. Lantronix is a registered trademark, and SecureLinx and SecureLinx Spider are trademarks of Lantronix, Inc. 


LANTRONIX 

www.lantronix.com/branch-office 



CrypToken* 


Mobility Without 
a Reader 


SSL Client 
Authentication 


Unique 
Designer Metal Case 



Best Practices for Standardizing Perimeter Security 

The CrypToken: Designed for certificate management, built to last. 
eCommerce without secure authentication? Unthinkable. The CrypToken, a SmartCard 
alternative in a USB form factor, offers security at the highest level. The on-board 
RSA 1024-bit and 2048-bit encryption allows straightforward integration into PKI 
environments. Support for the popular MS Crypto-API, PKCS#11 and PKCS#15 
cryptographic standards is included. Store private keys, digital certificates, passwords 
and more without your sensitive information ever leaving the token. Multi platform 
support? Sure - for Linux, WIN and Mac. 


Get your CrypToken®today! 


www.crvutoken.com/info 
or call +1 770 904 0369 
Reference Code: WIN0308 


Are Vour IIS Servers Under Attack? 


Block oil unwonted IIS 
traffic with ThreatSentry 


| t hreatsentry 

IWiSmi PtihEihcfi Vraii; fii JkbuiLih Itf 



download free trial 



•IIS host ips & application firewall 

• stop known, new & internal threats 

• overcome lapses in patch management 
•reinforce regulatory compliance 


sales@privacyware.com • www.privacyware.com • 732.212.81 10 x235 


www.windowsitpro.com 
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Hardware Lifecycle Management (HLM), from World Data 
Products, the leader in refurbished network, server, & 
storage hardware. 

HLM lowers hardware and maintenance cost, increases 
upgrade flexibility, and extends the useful life of your 
equipment. 

For IT managers, HLM results in lower costs, less head¬ 
aches, and more control across all stages of I.T. ownership. 

800.553.0592 

www.whybuyrefurbished.com 
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E-mod FreeB00k@ ITWuf(fiOogs + com 

with your PVH 

mullmg uddress 
or toll us of 

SI 2-257-1462 // V* 


Full access, one month at a time. 


I The latest digital issue of 
Windows IT Pro 
I 24/7 online access to over 
10,000 Windows IT Pro 
magazine articles 
I Updates and news alerts on the 
absolute latest industry 
developments 


Interactive blog and forum 


I Product comparisons and 
recommendations 
I Exclusive chats with the Editors 
and industry experts 
I and much much more! 


Sign up today for only US$5.95 per 
, month and start getting quick answers 
i to ALL of your IT questions! 


Windows 


ndowsitpro.corr 


800.793.5697 

www.windowsitpro.com/MonthlyPass 




www.windowsitpro.com/go/pro 1 -800-793-5697 

WndowsHPro 


Only $39.95 (12 issues) 


Subscribing to Windows IT Pro is like 
pocketing a team of Windows consultants. 


Stuffed with relevant 
articles and loads of 
expert advice—sub¬ 
scribing to Windows 
IT Pro is like pocket¬ 
ing your very own 
team of Windows 
consultants. 


Get real-world solutions to 
everyday IT problems— 
subscribe to Windows IT Pro 
today! 


And at a fraction of 
the cost. 


pocket one today; 


www.windowsitpro.com 
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SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to 
r umors@windowsitpro.com. If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 


PATIENCE 


...Is a Virtue 


^ Conundrum 


Microsoft Internet Explo 




Communication 

alliteration 



Phone Foul 


Annihilator [THUMB5.DB] - v 1.0.6. 


j\ 


Exit? 

Continue? 


DVD Decrypter 


Yes 


No 


J 


OK 


» 

Yes, 

I AM 

worried 


Worry 


p 

i J Please be patient , I heard vou the first time! 

STOP 
CLICKING! 


1^ 


Sorry!! We don't support this ID. 
Your ID are't Correctly!! 


OK 


OK 


User Moment of the Month 


i 



The IT Pro at Home! 

W hat do you do after a long day at the 
office tinkering with systems and deal¬ 
ing with end-users? We're willing to bet you 
go home and do the same thing! You tin¬ 
ker with your home-networking setup, share 
media files across your systems, and solve the 
problems your family members are having 
with their satellite systems. You've got a con- 

I nected home, and you probably use many of 
the same solutions there as you do at work. 
That's where Connected Home Media (www 
.connectedhomemag.com) can help. You're not 
only the IT Pro at work—you're the IT Pro at home! Sign up for the free Connected Home 
Express newsletter (www.windowsitpro.com/email) and get your tips about media shar¬ 
ing, home-network security, backup and recovery, home theater, and more! 



n the days of the 5.25" floppy disk, I manned a 
Help desk at a university. One day, a profes¬ 
sor called and said, "My 
Lotus 123 disks 
aren't any good. 

The computer 
won't read them 
and makes a loud noise 
when I insert them." I gave 
him a second set, and he expe¬ 
rienced the same problem. I asked him 
to bring the disks in so that I could try 
them on a lab computer. As he opened his 
briefcase, he said, "Why do manufacturers 
make it so hard to remove the wrapping?" 
I stared in amazement. He had popped 
the welding rivets off each floppy disk 
and removed the square plastic protector 
sleeves. He was handing over a wobbly 
stack of round, floppy plastic discs. 

—Dean Edwards 
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SERVERS, STORAGE, 


SWITCHES. 

Xeon' 

ONE BOX. NO HASSLES. 

inside™ 

Powerful. 

| S 

Efficient. 



OR S119/MONTH FOR 36 MONTHS 1 

Introducing IBM BladeCenter S Express. Now you can 
combine Quad-Core Intel® Xeon® processor-based 
blade servers, storage, switches and management tools 
in one small chassis. It’s easy to set up. Easy to use. 
Easy to manage. It’s a simple way to simplify your IT. 

From the people and Business Partners of IBM: 

It’s innovation made easy. 


SIMPLIFY AND MANAGE YOUR I.T. WITH A SINGLE CHASSIS. 



PN:8886E1U _ 

Up to six application blades with the ability to expand to multiple 
virtual blades 

Integrated storage built into the chassis - 3.6TB SAS or 6TB SATA 
3-year customer replaceable unit and on-site limited warranty 2 


IBM BLADECENTER HS21 EXPRESS 

$2,359 (SAVE $249) 

OR $62/MONTH FOR 36 MONTHS 1 

PN:8853E1U 

Features up to two high-performance Dual-Core or Quad-Core Intel 
Xeon Processors 

1GB standard/16GB maximum memory per blade (32GB with Memory and 
I/O Expansion Unit) 

3-year customer replaceable unit and on-site limited warranty 2 


IBM SYSTEM STORAGE DS3300 EXPRESS 

$4,545 (SAVE $450) 

OR $120/MONTH FOR 36 MONTHS 1 

PN: 172631E 

Support for dual-port and hot-swappable SAS disks at 10,000 and 15,000 
RPM speeds 

Expandable by attaching up to three EXP3000S or a total of 48 hard disk drives 
3-year limited warranty on parts and labor 2 




IBM Express “Bundle and Save” 


- — — express 

We bundle our Express systems to give you the 
accessories you need - while saving you money on 

= — — t ~ advantage™ 

J <D J J 

the hardware you want. Act now. Available now through j 

1 ibm.com/systems/onebox 

ibm.com and IBM Business Partners. 

1 866-872-3902 (mention 6N8AH01A) 


1. IBM Global Financing offerings are provided through IBM Credit LLC in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial and government customers. Monthly payments provided are for planning purposes 
only and may vary based on your credit and other factors. Lease offer provided is based on an FMV lease of 36 monthly payments. Other restrictions may apply. Rates and offerings are subject to change, extension or withdrawal without notice. 

2. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. For a copy of applicable product warranties, visi tibm.com/servers/support/machine_warranties or write to: Warranty 
Information, P.0. Box 12195, RTP, NC 27709, Attn: Dept. JDJA/B203. IBM makes no representation or warranty regarding third-party products or services, including those designated as ServerProven® or ClusterProven® Telephone support may be subject to 
additional charges. For on-site labor, IBM will attempt to diagnose and resolve the problem remotely before sending a technician. On-site warranty is available only for selected components. Optional same-day service response is available on select systems 
at an additional charge. IBM, the IBM logo, IBM Express Advantage, IBM BladeCenter, System x and System Storage are trademarks or registered trademarks of International Business Machines Corporation in the United States and/or other countries. 
For a complete list of IBM trademarks, see ibm.com/legal/copytrade.shtml. Intel and Xeon are registered trademarks of Intel Corporation. All other products may be trademarks or registered trademarks of their respective companies. All prices and 
savings estimates are based upon IBM’s estimated retail selling prices as of August 1,2007. Prices and actual savings may vary according to configuration. Resellers set their own prices, so reseller prices and actual savings to end users may vary. 
Products are subject to availability. This document was developed for offerings in the United States. IBM may not offer the products, features, or services discussed in this document in other countries. Prices are subject to change without notice. 
Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or IBM Business Partner for the most current pricing in your geographic area. ©2008 IBM Corporation. All rights reserved. 

































Active Directory | Exchange | SharePoint | SQLServer | Systems Center | Windows Server | PowerShell | Desktops Windows Management 



SQL Server 


Active Directory 


Exchange 


SharePoint 


Desktops 


PowerShell 


Windows Server 


Systems Center 


Microsoft 

GOLD CERTIFIED 

Partner 


2007 GLOBAL ISV 

PARTNER OF THE YEAR 


What's on your mind? 

It's a no-brainer. Think Quest. 

Worrying about your Windows infrastructure can be a real headache. Quest eases the pain 
by helping you get more — more performance, more productivity, more reliability and more 
value — from your Microsoft investments. No matter what's on your mind, Quest is the smart 
choice for Windows management. 

And think about this: Quest and its family of Windows management solutions have won 19 
industry awards, including Microsoft's Global ISV Partner of the Year, in 2007 alone. That's 
because we're committed to product innovation, customer support and our Microsoft 
partnership. 

Get more. Think Quest. 


Control changes in your Active Directory and safeguard its operations, security, and integrity. 
Download our change management white paper and learn more from the Windows 
management experts at www.quest.com/mind 



QUEST 

SOFTWARE® 


©2008 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software. 
All other brand or product names are trademarks or registered trademarks of their respective holders. WM-WINDOWS IT PRQ_Q12008. 


















